CVE-2025-30911 PoC — WordPress RomethemeKit For Elementor plugin <= 1.5.4 - Arbitrary Plugin Installation/Activation to RCE vulnerability

Source

https://github.com/Nxploited/CVE-2025-30911

Associated Vulnerability

Title:WordPress RomethemeKit For Elementor plugin <= 1.5.4 - Arbitrary Plugin Installation/Activation to RCE vulnerability (CVE-2025-30911)
Description:Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4.

Description

 WordPress RomethemeKit For Elementor Plugin <= 1.5.4 is vulnerable to Remote Code Execution (RCE)

Readme

# Exploit for CVE-2025-30911 – WordPress RomethemeKit <= 1.5.4

This script exploits a **critical vulnerability** in the **RomethemeKit For Elementor WordPress plugin (<= v1.5.4)** that allows **authenticated arbitrary plugin installation and activation**, potentially leading to **Remote Code Execution (RCE)**.

---

## 🛠️ Vulnerability Summary

- **CVE ID**: CVE-2025-30911  
- **Plugin**: RomethemeKit For Elementor  
- **Affected Versions**: <= 1.5.4  
- **Vulnerability Type**: Arbitrary Plugin Installation & Activation → RCE  
- **CWE**: [CWE-94: Improper Control of Generation of Code](https://cwe.mitre.org/data/definitions/94.html)  
- **CVSS Score**: 9.9 (Critical)  
  `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`

The vulnerability allows an authenticated attacker (with Administrator access) to programmatically install and activate any plugin — including potentially malicious ones — which may lead to full code execution on the server.

---

## 🚀 Features

- ✅ Auto-detects plugin version to confirm vulnerability.
- ✅ Authenticates using valid admin credentials.
- ✅ Installs and activates any WordPress plugin using the vulnerable AJAX endpoint.
---

## ⚙️ Usage

```bash
python3 CVE-2025-30911.py -u http://target/wordpress -un admin -p password -pl hello-dolly/hello.php
```

### 🧩 Arguments

```text
usage: 
CVE-2025-30911.py [-h] -u URL -un USERNAME -p PASSWORD [-pl PLUGIN]

Exploit For CVE-2025-30911 | By Nxploited Khaled Alenazi

options:
  -h, --help            Show this help message and exit
  -u, --url URL         Base URL of the WordPress site
  -un, --username USERNAME   WordPress admin username
  -p, --password PASSWORD    WordPress admin password
  -pl, --plugin PLUGIN       Plugin to install (default: hello-dolly/hello.php)
```

---

## 📝 Example

```bash
python3 CVE-2025-30911.py -u http://192.168.100.74:888/wordpress -un admin  -p admin -pl hello-dolly/hello.php

  
```

---

## 🔐 Requirements

- Python 3.x
- `requests` library (install via `pip install requests`)
- Valid WordPress Admin credentials
- Vulnerable RomethemeKit For Elementor plugin (<= 1.5.4) installed and active

---

## ⚠️ Disclaimer

This tool is provided **for educational and authorized security testing only**. Unauthorized use is illegal and unethical.

---

*By: Nxploited | Khaled Alenazi*

File Snapshot


 [4.0K]  /data/pocs/362c6dd9e69c5acbab8704f46c9bae09b8ab17d8
├── [3.2K]  CVE-2025-30911.py
├── [1.1K]  LICENSE
└── [2.3K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!