PatchSiren

RTMKit CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review RTMKit CVE published 2026-07-16

CVE-2026-12907

The RTMKit WordPress plugin before 2.0.9 has a vulnerability that allows users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors. This is normally restricted to administrators. The vulnerability exists due to a lack of proper capability checks on one of the plugin's AJAX actions. This could lead to un [truncated]

Review RTMKit CVE published 2026-07-16

CVE-2026-12906

The RTMKit WordPress plugin before 2.0.9 has a capability check bypass vulnerability. An AJAX action in the plugin does not properly verify the user's capabilities before allowing access to post information. Specifically, the plugin resolves a post identifier supplied in the request without adequate checks, enabling users with at least the Contributor role to read the titles of private, draft, pending, sc [truncated]