CVE-2025-9218
Unknown Unknown - Not Provided

Information Disclosure in rtMedia WordPress Plugin via Missing Authorization

Vulnerability report for CVE-2025-9218, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-07-06
AI Q&A
2025-12-13
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rtmedia rtmedia *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized disclosure of media content that is meant to be private or unpublished (drafts). This means attackers without authentication can access sensitive or confidential media files, potentially compromising privacy or exposing sensitive information.

Executive Summary

This vulnerability exists in the rtMedia plugin for WordPress, BuddyPress, and bbPress, specifically in versions 4.7.0 to 4.7.3. It is caused by missing authorization checks in the handle_rest_pre_dispatch() function when the Godam plugin is active. This flaw allows unauthenticated attackers to access media items linked to draft or private posts, leading to information disclosure.

Mitigation Strategies

To mitigate the vulnerability CVE-2025-9218, immediately update the rtMedia plugin for WordPress, BuddyPress, and bbPress to version 4.7.4 or later, which includes security fixes addressing the missing authorization in the REST API. Ensure that the Godam plugin is either disabled or updated accordingly. The update improves REST API request handling, input sanitization, and authorization checks to prevent unauthorized access to media items associated with draft or private posts. [1, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart