rtMedia for WordPress, BuddyPress and bbPress 4.7.0

3.7 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.

Basic Information

ID CVE-2025-9218

Source Wordfence

Published Dec 13, 2025 at 04:31

Affected Product

Vendor rtcamp

Product rtMedia for WordPress, BuddyPress and bbPress

Version 4.7.0

Affected Versions rtcamp rtMedia for WordPress, BuddyPress and bbPress 4.7.0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.",
    "published": "2025-12-13T04:31:26.133Z",
    "modified": "2025-12-13T04:31:26.133Z",
    "type": "cve",
    "title": "rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68533b4c-1bdf-4104-a263-757b018af129?source=cve\nhttps://wordpress.org/plugins/buddypress-media/#developers\nhttps://plugins.trac.wordpress.org/changeset/3386907/buddypress-media/tags/4.7.4/app/main/controllers/api/RTMediaJsonApi.php",
    "id": "CVE-2025-9218",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "rtcamp rtMedia for WordPress, BuddyPress and bbPress 4.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 3.7,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rtMedia for WordPress, BuddyPress and bbPress",
    "version": "4.7.0",
    "vendor": "rtcamp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

rtMedia for WordPress, BuddyPress and bbPress 4.7.0 – 4.7.3 – Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function_CVE-2025-9218