CVE-2025-9218
Unknown Unknown - Not Provided
Information Disclosure in rtMedia WordPress Plugin via Missing Authorization

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9218
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rtmedia rtmedia *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized disclosure of media content that is meant to be private or unpublished (drafts). This means attackers without authentication can access sensitive or confidential media files, potentially compromising privacy or exposing sensitive information.

Executive Summary

This vulnerability exists in the rtMedia plugin for WordPress, BuddyPress, and bbPress, specifically in versions 4.7.0 to 4.7.3. It is caused by missing authorization checks in the handle_rest_pre_dispatch() function when the Godam plugin is active. This flaw allows unauthenticated attackers to access media items linked to draft or private posts, leading to information disclosure.

Mitigation Strategies

To mitigate the vulnerability CVE-2025-9218, immediately update the rtMedia plugin for WordPress, BuddyPress, and bbPress to version 4.7.4 or later, which includes security fixes addressing the missing authorization in the REST API. Ensure that the Godam plugin is either disabled or updated accordingly. The update improves REST API request handling, input sanitization, and authorization checks to prevent unauthorized access to media items associated with draft or private posts. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart