WordPress Plugin Vulnerabilities

rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.

Affects Plugins

Plugin icon
buddypress-media
Fixed in 4.7.4

References

CVE
CVE-2025-9218
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/68533b4c-1bdf-4104-a263-757b018af129

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
3.7 (low)

Miscellaneous

Original Researcher
kr0d
Verified
No
WPVDB ID
4f6e96b9-62e9-4456-86e4-8e77fea67f35

Timeline

Publicly Published
2025-12-12 (about 5 months ago)
Added
2025-12-12 (about 5 months ago)
Last Updated
2025-12-13 (about 5 months ago)

Other

Published
Title
Published
2024-04-15
Title
GG Woo Feed for WooCommerce Shopping Feed < 1.2.7 - Missing Authorization
Published
2026-02-15
Title
Total Poll Lite <= 4.12.0 - Missing Authorization
Published
2026-04-08
Title
Vertex Addons for Elementor < 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'
Published
2025-03-27
Title
Traveler < 3.2.1 - Missing Authorization
Published
2023-01-09
Title
ChatBot < 4.2.9 - Unauthenticated Settings Reset