CVE-2025-9218

rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function

lowMissing Authorization

3.7

CVSS Score

3.7

CVSS Score

low

Severity

4.7.4

Patched in

Time to patch

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Low

Confidentiality

None

Integrity

None

Availability

Technical Details

Affected versions>=4.7.0 <=4.7.3

PublishedDecember 12, 2025

Last updatedDecember 13, 2025

Affected pluginbuddypress-media

Source Code

WordPress.org SVN

Vulnerable v4.7.3

Browse source Download .zip

Patched v4.7.4

Browse source Download .zip

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/68533b4c-1bdf-4104-a263-757b018af129?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database