WordPress Plugin Vulnerabilities

rtMedia for WordPress, BuddyPress and bbPress < 4.6.15 - Missing Authorization via export_settings

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the export_settings function in versions up to, and including, 4.6.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to export plugin settings.

Affects Plugins

Plugin icon
buddypress-media
Fixed in 4.6.15

References

CVE
CVE-2023-41951
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0cb5df54-a6a7-4c2e-8df0-5d050218622e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
42d985b5-5156-4300-a698-8f8c2a0dc1da

Timeline

Publicly Published
2023-09-06 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-05 (about 2 years ago)

Other

Published
Title
Published
2025-10-17
Title
Admin Management Xtended < 2.5.2 - Missing Authorization
Published
2025-11-17
Title
RestroPress < 3.2.3.6 - Missing Authorization
Published
2024-12-30
Title
Ashe Extra < 1.3 - Missing Authorization
Published
2025-07-07
Title
Multi-language Responsive Contact Form <= 2.8 - Missing Authorization
Published
2024-06-06
Title
Copymatic – AI Content Writer & Generator < 2.0 - Missing Authorization