CVE-2025-9218

rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function

lowMissing Authorization
3.7
CVSS Score
3.7
CVSS Score
low
Severity
4.7.4
Patched in
1d
Time to patch

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions>=4.7.0 <=4.7.3
PublishedDecember 12, 2025
Last updatedDecember 13, 2025
Affected pluginbuddypress-media

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-9218 rtMedia Information Disclosure ## 1. Vulnerability Summary The **rtMedia for WordPress, BuddyPress and bbPress** plugin (versions 4.7.0 to 4.7.3) contains a missing authorization vulnerability in the `handle_rest_pre_dispatch()` function. When the **Godam…

Show full research plan

Exploitation Research Plan: CVE-2025-9218 rtMedia Information Disclosure

1. Vulnerability Summary

The rtMedia for WordPress, BuddyPress and bbPress plugin (versions 4.7.0 to 4.7.3) contains a missing authorization vulnerability in the handle_rest_pre_dispatch() function. When the Godam plugin (a mobile app builder integration) is active, rtMedia incorrectly modifies the REST API dispatch process. This modification allows unauthenticated users to bypass standard visibility restrictions and retrieve media items associated with draft or private posts, leading to information disclosure.

The vulnerability stems from logic intended to facilitate the Godam mobile app's access to content, which fails to verify that the incoming REST request is actually authorized or originates from a legitimate administrative context.

2. Attack Vector Analysis

  • Endpoint: /wp-json/rtmedia/v1/media (or specific media sub-endpoints like /wp-json/rtmedia/v1/media/<id>).
  • Hook: rest_pre_dispatch filter.
  • Vulnerable Function: handle_rest_pre_dispatch() (likely located in the REST controller classes).
  • Authentication: None required (Unauthenticated).
  • Precondition:
    1. rtMedia version 4.7.0–4.7.3 installed and active.
    2. The Godam plugin must be active (or its detection constant/function must return true).
    3. Media items must exist that are attached to private or draft posts/activity.

3. Code Flow

  1. Request Initiation: An unauthenticated user sends a GET request to the rtMedia REST API endpoint (e.g., wp-json/rtmedia/v1/media).
  2. Hook Trigger: Before WordPress dispatches the request to the specific rtMedia route, the rest_pre_dispatch filter is fired.
  3. Vulnerable Filter Execution: rtMedia's handle_rest_pre_dispatch() (registered via add_filter( 'rest_pre_dispatch', ... )) executes.
  4. Condition Check: The function checks if the Godam plugin is active (likely via is_plugin_active( 'godam/godam.php' ) or checking for a constant like GODAM_VERSION).
  5. Authorization Bypass: If Godam is detected, the function likely modifies the global query parameters or removes filters that normally restrict post_status to publish. This effectively "unlocks" non-public media for the duration of the REST request.
  6. Data Leakage: The standard rtMedia REST controller then processes the request using these relaxed permissions, returning media metadata (URLs, titles, IDs) for private or draft content in the JSON response.

4. Nonce Acquisition Strategy

rtMedia typically enqueues a REST nonce for its operations. While the disclosure is unauthenticated, the rtMedia REST API routes often require a valid wp_rest nonce passed via the _wpnonce parameter or X-WP-Nonce header.

  1. Identify Script Localization: rtMedia localizes data into a JavaScript object, usually named rtmedia_params or rtMedia_REST_Settings.
  2. Create Trigger Page: Create a public page containing an rtMedia shortcode to ensure the scripts and nonces are loaded.
    wp post create --post_type=page --post_status=publish --post_title="rtMedia Test" --post_content='[rtmedia_gallery]'
    
  3. Extract Nonce via Browser:
    • Navigate to the newly created page.
    • Use browser_eval to extract the nonce:
      // Try standard rtmedia_params first
      window.rtmedia_params?.rest_nonce || window.rtMedia_REST_Settings?.nonce
      
  4. Verify Action String: In the source code, check RTMediaRestController or similar for the permission_callback. If it uses __return_true or fails to check current_user_can, the nonce obtained will be sufficient to trigger the information disclosure.

5. Exploitation Strategy

  1. Mock Godam Activation: Since the vulnerability depends on the Godam plugin being active, and the agent may not have the Godam plugin zip, simulate it by creating a minimal "dummy" plugin:
    mkdir -p /var/www/html/wp-content/plugins/godam
    echo "<?php
    /*
    Plugin Name: Godam
    Version: 1.0.0
    */
    define('GODAM_VERSION', '1.0.0');" > /var/www/html/wp-content/plugins/godam/godam.php
    wp plugin activate godam
    
  2. Retrieve Nonce: Use the strategy in Section 4 to get a wp_rest nonce.
  3. Execute Attack Request: Send a GET request to the rtMedia media list endpoint.
    • URL: http://localhost:8080/wp-json/rtmedia/v1/media
    • Headers:
      • X-WP-Nonce: [EXTRACTED_NONCE]
    • Parameters: context=view (standard REST param)
  4. Target Specific Content: If the list is empty, try to target a specific ID known to be private:
    • URL: http://localhost:8080/wp-json/rtmedia/v1/media/[PRIVATE_MEDIA_ID]

6. Test Data Setup

  1. Enable rtMedia: Ensure the plugin is configured to allow media uploads.
  2. Create Private Content:
    • Create a post and set its status to private.
    • Use wp-cli to upload an image and attach it to that private post using rtMedia's structure.
    • Alternatively, create a "Private" BuddyPress group (if BuddyPress is active) and upload media there.
  3. Record Media ID: Use wp post list --post_type=attachment to identify the ID of the media attached to the private post.

7. Expected Results

  • Success: The REST API returns a 200 OK response containing a JSON object. This object will include details (source URL, title, GUID) of the media item that is attached to the private or draft post.
  • Failure (Patched/Secure): The REST API returns a 401 Unauthorized or 403 Forbidden error, or returns a 200 OK with an empty list (filtering out the private items).

8. Verification Steps

  1. Compare Results: Run the same REST request twice—once with the "Godam" dummy plugin active and once with it deactivated.
  2. Confirm Status: Use wp post get [MEDIA_ID] --field=post_status to confirm the media item (or its parent) is indeed not publish.
  3. Check Response Content: Verify the JSON response contains the guid or source URL of the private media file.

9. Alternative Approaches

  • Godam Header Detection: If mocking the plugin via constant/activation fails, rtMedia might be looking for a specific request header used by Godam (e.g., X-Godam-App: true). Check the source of handle_rest_pre_dispatch for any $_SERVER or $request->get_header() calls.
  • Activity Stream Endpoint: rtMedia integrates heavily with BuddyPress. If the main media endpoint is restricted, try the activity-related REST endpoints: /wp-json/rtmedia/v1/activity.
  • Search Parameter: Use search parameters to force the query to look for specific IDs: /wp-json/rtmedia/v1/media?include=[PRIVATE_ID].
Research Findings
Static analysis — not yet PoC-verified

Summary

The rtMedia plugin for WordPress (versions 4.7.0 to 4.7.3) contains a missing authorization vulnerability in the handle_rest_pre_dispatch() function. When the Godam mobile app integration plugin is active, the REST API incorrectly allows unauthenticated access to media items associated with private or draft content.

Vulnerable Code

/**
 * Vulnerable logic in handle_rest_pre_dispatch
 * Path: app/main/controllers/rest/RTMediaRestController.php (inferred)
 */
public function handle_rest_pre_dispatch( $result, $server, $request ) {
    // Check if Godam plugin is active
    if ( is_plugin_active( 'godam/godam.php' ) || defined( 'GODAM_VERSION' ) ) {
        // The logic here fails to verify if the request is actually from an authorized Godam session
        // and instead relaxes visibility restrictions for all REST requests to the rtmedia namespace.
        add_filter( 'rtmedia_media_query_status', function( $status ) {
            return array( 'publish', 'private', 'draft' );
        } );
    }
    return $result;
}

Security Fix

--- a/app/main/controllers/rest/RTMediaRestController.php
+++ b/app/main/controllers/rest/RTMediaRestController.php
@@ -10,11 +10,13 @@
 public function handle_rest_pre_dispatch( $result, $server, $request ) {
-    if ( is_plugin_active( 'godam/godam.php' ) || defined( 'GODAM_VERSION' ) ) {
-        add_filter( 'rtmedia_media_query_status', function( $status ) {
-            return array( 'publish', 'private', 'draft' );
-        } );
-    }
+    // Removed unsafe authorization bypass based solely on plugin activation status.
+    // Access to private/draft media should now follow standard WordPress/rtMedia permission checks.
     return $result;
 }

Exploit Outline

The exploit requires the Godam plugin to be active on the target site (or simulated). An attacker first retrieves a standard WordPress REST API nonce, which rtMedia often leaks via localized scripts (rtmedia_params) on pages where media galleries are displayed. Once the nonce is obtained, the attacker sends an unauthenticated GET request to the `/wp-json/rtmedia/v1/media` endpoint. Because the vulnerable function detects the Godam plugin and globally modifies the allowed media status to include 'private' and 'draft' without verifying user permissions, the API response will include metadata and source URLs for media that should otherwise be restricted from public view.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.