WordPress Plugin Vulnerabilities

rtMedia for WordPress, BuddyPress and bbPress < 4.6.15 - Missing Authorization to Settings Update

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtmedia_admin_upload function in versions up to, and including, 4.6.14. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload a settings file and modify plugin settings.

Affects Plugins

Plugin icon
buddypress-media
Fixed in 4.6.15

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5dfc145e-d2d4-4137-a5c6-dec2ebb41876

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (Medium)

Miscellaneous

Verified
No
WPVDB ID
80fa3af7-1028-4f21-b5c4-f0e3350f7106

Timeline

Publicly Published
2023-09-04 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-03 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
Combo WP Rewrite Slugs <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Settings Change
Published
2024-01-12
Title
The Events Calendar < 6.2.9 - Unauthenticated Sensitive Information Exposure
Published
2024-05-09
Title
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler < 1.6.5 - Missing Authorization via Several AJAX Action
Published
2025-11-24
Title
PropertyHive < 2.1.13 - Missing Authorization
Published
2025-03-27
Title
Big Store < 2.0.9 - Missing Authorization