CVE-2025-9218

low-risk
Published 2025-12-13

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.

Do I need to act?

-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

References (3)

https://plugins.trac.wordpress.org/changeset/3386907/buddypress-media/tags/4.7.4...
https://wordpress.org/plugins/buddypress-media/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/68533b4c-1bdf-4104-a26...
18
/ 100
low-risk
Severity 13/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal