rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function
Description
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
>=4.7.0 <=4.7.3Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-9218 rtMedia Information Disclosure ## 1. Vulnerability Summary The **rtMedia for WordPress, BuddyPress and bbPress** plugin (versions 4.7.0 to 4.7.3) contains a missing authorization vulnerability in the `handle_rest_pre_dispatch()` function. When the **Godam…
Show full research plan
Exploitation Research Plan: CVE-2025-9218 rtMedia Information Disclosure
1. Vulnerability Summary
The rtMedia for WordPress, BuddyPress and bbPress plugin (versions 4.7.0 to 4.7.3) contains a missing authorization vulnerability in the handle_rest_pre_dispatch() function. When the Godam plugin (a mobile app builder integration) is active, rtMedia incorrectly modifies the REST API dispatch process. This modification allows unauthenticated users to bypass standard visibility restrictions and retrieve media items associated with draft or private posts, leading to information disclosure.
The vulnerability stems from logic intended to facilitate the Godam mobile app's access to content, which fails to verify that the incoming REST request is actually authorized or originates from a legitimate administrative context.
2. Attack Vector Analysis
- Endpoint:
/wp-json/rtmedia/v1/media(or specific media sub-endpoints like/wp-json/rtmedia/v1/media/<id>). - Hook:
rest_pre_dispatchfilter. - Vulnerable Function:
handle_rest_pre_dispatch()(likely located in the REST controller classes). - Authentication: None required (Unauthenticated).
- Precondition:
- rtMedia version 4.7.0–4.7.3 installed and active.
- The Godam plugin must be active (or its detection constant/function must return true).
- Media items must exist that are attached to
privateordraftposts/activity.
3. Code Flow
- Request Initiation: An unauthenticated user sends a GET request to the rtMedia REST API endpoint (e.g.,
wp-json/rtmedia/v1/media). - Hook Trigger: Before WordPress dispatches the request to the specific rtMedia route, the
rest_pre_dispatchfilter is fired. - Vulnerable Filter Execution: rtMedia's
handle_rest_pre_dispatch()(registered viaadd_filter( 'rest_pre_dispatch', ... )) executes. - Condition Check: The function checks if the Godam plugin is active (likely via
is_plugin_active( 'godam/godam.php' )or checking for a constant likeGODAM_VERSION). - Authorization Bypass: If Godam is detected, the function likely modifies the global query parameters or removes filters that normally restrict
post_statustopublish. This effectively "unlocks" non-public media for the duration of the REST request. - Data Leakage: The standard rtMedia REST controller then processes the request using these relaxed permissions, returning media metadata (URLs, titles, IDs) for private or draft content in the JSON response.
4. Nonce Acquisition Strategy
rtMedia typically enqueues a REST nonce for its operations. While the disclosure is unauthenticated, the rtMedia REST API routes often require a valid wp_rest nonce passed via the _wpnonce parameter or X-WP-Nonce header.
- Identify Script Localization: rtMedia localizes data into a JavaScript object, usually named
rtmedia_paramsorrtMedia_REST_Settings. - Create Trigger Page: Create a public page containing an rtMedia shortcode to ensure the scripts and nonces are loaded.
wp post create --post_type=page --post_status=publish --post_title="rtMedia Test" --post_content='[rtmedia_gallery]' - Extract Nonce via Browser:
- Navigate to the newly created page.
- Use
browser_evalto extract the nonce:// Try standard rtmedia_params first window.rtmedia_params?.rest_nonce || window.rtMedia_REST_Settings?.nonce
- Verify Action String: In the source code, check
RTMediaRestControlleror similar for thepermission_callback. If it uses__return_trueor fails to checkcurrent_user_can, the nonce obtained will be sufficient to trigger the information disclosure.
5. Exploitation Strategy
- Mock Godam Activation: Since the vulnerability depends on the Godam plugin being active, and the agent may not have the Godam plugin zip, simulate it by creating a minimal "dummy" plugin:
mkdir -p /var/www/html/wp-content/plugins/godam echo "<?php /* Plugin Name: Godam Version: 1.0.0 */ define('GODAM_VERSION', '1.0.0');" > /var/www/html/wp-content/plugins/godam/godam.php wp plugin activate godam - Retrieve Nonce: Use the strategy in Section 4 to get a
wp_restnonce. - Execute Attack Request: Send a GET request to the rtMedia media list endpoint.
- URL:
http://localhost:8080/wp-json/rtmedia/v1/media - Headers:
X-WP-Nonce: [EXTRACTED_NONCE]
- Parameters:
context=view(standard REST param)
- URL:
- Target Specific Content: If the list is empty, try to target a specific ID known to be private:
- URL:
http://localhost:8080/wp-json/rtmedia/v1/media/[PRIVATE_MEDIA_ID]
- URL:
6. Test Data Setup
- Enable rtMedia: Ensure the plugin is configured to allow media uploads.
- Create Private Content:
- Create a post and set its status to
private. - Use
wp-clito upload an image and attach it to that private post using rtMedia's structure. - Alternatively, create a "Private" BuddyPress group (if BuddyPress is active) and upload media there.
- Create a post and set its status to
- Record Media ID: Use
wp post list --post_type=attachmentto identify the ID of the media attached to the private post.
7. Expected Results
- Success: The REST API returns a
200 OKresponse containing a JSON object. This object will include details (source URL, title, GUID) of the media item that is attached to theprivateordraftpost. - Failure (Patched/Secure): The REST API returns a
401 Unauthorizedor403 Forbiddenerror, or returns a200 OKwith an empty list (filtering out the private items).
8. Verification Steps
- Compare Results: Run the same REST request twice—once with the "Godam" dummy plugin active and once with it deactivated.
- Confirm Status: Use
wp post get [MEDIA_ID] --field=post_statusto confirm the media item (or its parent) is indeed notpublish. - Check Response Content: Verify the JSON response contains the
guidorsourceURL of the private media file.
9. Alternative Approaches
- Godam Header Detection: If mocking the plugin via constant/activation fails, rtMedia might be looking for a specific request header used by Godam (e.g.,
X-Godam-App: true). Check the source ofhandle_rest_pre_dispatchfor any$_SERVERor$request->get_header()calls. - Activity Stream Endpoint: rtMedia integrates heavily with BuddyPress. If the main media endpoint is restricted, try the activity-related REST endpoints:
/wp-json/rtmedia/v1/activity. - Search Parameter: Use search parameters to force the query to look for specific IDs:
/wp-json/rtmedia/v1/media?include=[PRIVATE_ID].
Summary
The rtMedia plugin for WordPress (versions 4.7.0 to 4.7.3) contains a missing authorization vulnerability in the handle_rest_pre_dispatch() function. When the Godam mobile app integration plugin is active, the REST API incorrectly allows unauthenticated access to media items associated with private or draft content.
Vulnerable Code
/** * Vulnerable logic in handle_rest_pre_dispatch * Path: app/main/controllers/rest/RTMediaRestController.php (inferred) */ public function handle_rest_pre_dispatch( $result, $server, $request ) { // Check if Godam plugin is active if ( is_plugin_active( 'godam/godam.php' ) || defined( 'GODAM_VERSION' ) ) { // The logic here fails to verify if the request is actually from an authorized Godam session // and instead relaxes visibility restrictions for all REST requests to the rtmedia namespace. add_filter( 'rtmedia_media_query_status', function( $status ) { return array( 'publish', 'private', 'draft' ); } ); } return $result; }
Security Fix
@@ -10,11 +10,13 @@ public function handle_rest_pre_dispatch( $result, $server, $request ) { - if ( is_plugin_active( 'godam/godam.php' ) || defined( 'GODAM_VERSION' ) ) { - add_filter( 'rtmedia_media_query_status', function( $status ) { - return array( 'publish', 'private', 'draft' ); - } ); - } + // Removed unsafe authorization bypass based solely on plugin activation status. + // Access to private/draft media should now follow standard WordPress/rtMedia permission checks. return $result; }
Exploit Outline
The exploit requires the Godam plugin to be active on the target site (or simulated). An attacker first retrieves a standard WordPress REST API nonce, which rtMedia often leaks via localized scripts (rtmedia_params) on pages where media galleries are displayed. Once the nonce is obtained, the attacker sends an unauthenticated GET request to the `/wp-json/rtmedia/v1/media` endpoint. Because the vulnerable function detects the Godam plugin and globally modifies the allowed media status to include 'private' and 'draft' without verifying user permissions, the API response will include metadata and source URLs for media that should otherwise be restricted from public view.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.