The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.
History

Thu, 16 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 16 Jul 2026 06:30:00 +0000

Type Values Removed Values Added
Description The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.
Title RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-16T16:53:35.525Z

Reserved: 2026-06-22T14:41:41.058Z

Link: CVE-2026-12906

cve-icon Vulnrichment

Updated: 2026-07-16T16:52:33.061Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.