CVE-2025-30911: 
WordPress vulnerability analysis and mitigation

A critical code injection vulnerability was discovered in the RomethemeKit For Elementor WordPress plugin, identified as CVE-2025-30911. The vulnerability affects versions through 1.5.4 of the plugin and was disclosed on March 27, 2025. The issue allows for Command Injection through improper control of code generation (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. It is classified under CWE-94 (Improper Control of Generation of Code) and requires subscriber-level privileges for exploitation (NVD, Patchstack).

The vulnerability enables Remote Code Execution (RCE), allowing malicious actors to execute commands on the target website. This can potentially lead to full website compromise through backdoor access. The high CVSS score of 9.9 indicates this is a critical security issue expected to become mass exploited (Patchstack).

Users are strongly advised to update to version 1.5.5 or later of the RomethemeKit For Elementor plugin to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).