CVE-2026-12906 PUBLISHED

RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure

Assigner: WPScan
Reserved: 22.06.2026 Published: 16.07.2026 Updated: 16.07.2026

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.

Product Status

Vendor Unknown
Product RTMKit
Versions Default: unaffected
  • affected from 0 to 2.0.9 (excl.)

Credits

  • Meher Sudhakar Abbireddi finder
  • WPScan coordinator

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE