Widely used WordPress plugin RomethemeKit for Elementor was discovered to be affected by a critical security vulnerability, tracked as CVE-2025-30911, which could be leveraged to facilitate remote code execution, Infosecurity Magazine reports.
Attackers could exploit the flaw, which arises from inadequate permission and nonce checks within the plugin's install_requirements function, to enable arbitrary plugins that allow arbitrary code execution with minimal privileges, according to Patchstack researchers. Immediate implementation of patches, which have been issued in March following an incomplete fix in late January, has been recommended. Meanwhile, developers have been urged to mitigate similar security issues in the future by adopting robust permission checks for admin-level actions, activating nonce verification for AJAX-initiated actions, and restricting access for low-privilege users. Aside from conducting code audits and security evaluations on a regular basis, developers should also maintain a tough validation framework while ensuring compliance with the coding practice recommendations provided by WordPress.
Attackers could exploit the flaw, which arises from inadequate permission and nonce checks within the plugin's install_requirements function, to enable arbitrary plugins that allow arbitrary code execution with minimal privileges, according to Patchstack researchers. Immediate implementation of patches, which have been issued in March following an incomplete fix in late January, has been recommended. Meanwhile, developers have been urged to mitigate similar security issues in the future by adopting robust permission checks for admin-level actions, activating nonce verification for AJAX-initiated actions, and restricting access for low-privilege users. Aside from conducting code audits and security evaluations on a regular basis, developers should also maintain a tough validation framework while ensuring compliance with the coding practice recommendations provided by WordPress.
