CVE-2025-9218
Information Disclosure in rtMedia WordPress Plugin via Missing Authorization
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rtmedia | rtmedia | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of media content that is meant to be private or unpublished (drafts). This means attackers without authentication can access sensitive or confidential media files, potentially compromising privacy or exposing sensitive information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2025-9218, immediately update the rtMedia plugin for WordPress, BuddyPress, and bbPress to version 4.7.4 or later, which includes security fixes addressing the missing authorization in the REST API. Ensure that the Godam plugin is either disabled or updated accordingly. The update improves REST API request handling, input sanitization, and authorization checks to prevent unauthorized access to media items associated with draft or private posts. [1, 3]
Can you explain this vulnerability to me?
This vulnerability exists in the rtMedia plugin for WordPress, BuddyPress, and bbPress, specifically in versions 4.7.0 to 4.7.3. It is caused by missing authorization checks in the handle_rest_pre_dispatch() function when the Godam plugin is active. This flaw allows unauthenticated attackers to access media items linked to draft or private posts, leading to information disclosure.