PatchSiren cyber security CVE debrief
CVE-2026-5149 rometheme CVE debrief
The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7. This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.
- Vendor
- rometheme
- Product
- RTMKit
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of the RTMKit plugin for WordPress, particularly those with Contributor-level access or above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The weakness is classified as CWE-863.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the RTMKit plugin to a version beyond 2.0.7.
- Restrict access to the get_submission_content AJAX endpoint to authorized users only.
- Monitor for suspicious activity related to form submissions.
Evidence notes
The vulnerability was reported by [email protected] and is documented in the Wordfence threat intelligence database [ref-8].
Official resources
CVE-2026-5149 was published on 2026-06-16T06:16:58.337Z and has not been modified since then.