WordPress Plugin Vulnerabilities

rtMedia for WordPress, BuddyPress and bbPress < 4.7.10 - Missing Authorization

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.7.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
buddypress-media
Fixed in 4.7.10

References

CVE
CVE-2026-40773
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cacd9237-a330-4927-ac53-ee86b9ac8289

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jakub Herman
Verified
No
WPVDB ID
d10446cc-0da9-4083-b1e0-15ca3b1a2e7d

Timeline

Publicly Published
2026-04-21 (about 23 days ago)
Added
2026-04-30 (about 13 days ago)
Last Updated
2026-04-30 (about 13 days ago)

Other

Published
Title
Published
2021-11-24
Title
Hide My WP < 6.2.4 - Unauthenticated Plugin Deactivation
Published
2025-03-31
Title
Simple:Press < 6.11.6 - Missing Authorization
Published
2023-11-13
Title
WP Custom Admin Interface < 7.32 - Missing Authorization via wpcai_pro_notice_disable
Published
2025-04-01
Title
MyBookProgress by Stormhill Media <= 1.0.8 - Missing Authorization
Published
2025-04-25
Title
Aeropage Sync for Airtable < 3.3.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion