CVE-2024-10326: CWE-862 Missing Authorization in rometheme RTMKit
The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or reset plugin widgets to their default state (all enabled). NOTE: This vulnerability was partially fixed in version 1.5.3.
AI Analysis
Technical Summary
CVE-2024-10326 is a missing authorization vulnerability (CWE-862) in the RomethemeKit For Elementor WordPress plugin (RTMKit). The issue arises from the absence of capability checks on the save_options and reset_widgets functions in all versions up to and including 1.5.3. This flaw enables authenticated attackers with Subscriber-level privileges or higher to modify plugin configuration or reset widgets to default states without proper authorization. The vulnerability was only partially addressed in version 1.5.3, and no complete patch is currently confirmed. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low complexity and limited impact on integrity without affecting confidentiality or availability.
Potential Impact
Authenticated users with low privileges (Subscriber-level and above) can modify plugin settings or reset widgets without proper authorization. This can lead to unauthorized changes in the plugin's behavior or appearance but does not impact data confidentiality or availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Version 1.5.3 includes a partial fix, but a complete resolution is not confirmed. Until an official patch is released, restrict Subscriber-level access where possible and monitor plugin updates from the vendor for a full fix.
CVE-2024-10326: CWE-862 Missing Authorization in rometheme RTMKit
Description
The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or reset plugin widgets to their default state (all enabled). NOTE: This vulnerability was partially fixed in version 1.5.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-10326 is a missing authorization vulnerability (CWE-862) in the RomethemeKit For Elementor WordPress plugin (RTMKit). The issue arises from the absence of capability checks on the save_options and reset_widgets functions in all versions up to and including 1.5.3. This flaw enables authenticated attackers with Subscriber-level privileges or higher to modify plugin configuration or reset widgets to default states without proper authorization. The vulnerability was only partially addressed in version 1.5.3, and no complete patch is currently confirmed. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low complexity and limited impact on integrity without affecting confidentiality or availability.
Potential Impact
Authenticated users with low privileges (Subscriber-level and above) can modify plugin settings or reset widgets without proper authorization. This can lead to unauthorized changes in the plugin's behavior or appearance but does not impact data confidentiality or availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Version 1.5.3 includes a partial fix, but a complete resolution is not confirmed. Until an official patch is released, restrict Subscriber-level access where possible and monitor plugin updates from the vendor for a full fix.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-10-23T23:07:45.983Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6df2b7ef31ef0b5912c5
Added to database: 2/25/2026, 9:47:30 PM
Last enriched: 4/9/2026, 7:00:38 PM
Last updated: 4/12/2026, 9:05:15 AM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.