CVE-2026-8351
MediumCVSS 6.4Summary
The RTMKit plugin for WordPress up to version 2.0.7 is vulnerable to Stored Cross-Site Scripting in the Advanced Heading widget due to insufficient output escaping of the 'Background Text' parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users visit the page.
Risk Assessment
An attacker can inject malicious JavaScript that executes in browsers of visitors, potentially leading to session hijacking, redirects, or defacement.
Recommendation
Update the RTMKit plugin to version 2.0.8 or later immediately. If no update is available, temporarily disable the Advanced Heading widget.
Original NVD description (English source)
The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'background_text_heading' setting in the render() function, which concatenates the value directly into an HTML attribute without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

