CVE-2025-9218
📋 TL;DR
The rtMedia plugin for WordPress (also used with BuddyPress and bbPress) versions 4.7.0 to 4.7.3 has an information disclosure vulnerability when the Godam plugin is active. Unauthenticated attackers can access media files from draft or private posts that should be restricted. This affects WordPress sites using these specific plugin versions.
💻 Affected Systems
- rtMedia for WordPress, BuddyPress and bbPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive media files from private posts or drafts are exposed to the public internet, potentially revealing confidential information, intellectual property, or personal data.
Likely Case
Unauthorized users access media files that should be restricted to authenticated users, violating content privacy expectations.
If Mitigated
With proper access controls and monitoring, impact is limited to potential privacy violations without system compromise.
🎯 Exploit Status
Exploitation requires the Godam plugin to be active and involves accessing REST API endpoints without proper authorization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.4
Vendor Advisory: https://wordpress.org/plugins/buddypress-media/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'rtMedia for WordPress, BuddyPress and bbPress'. 4. Click 'Update Now' if available, or download version 4.7.4 from WordPress repository. 5. Deactivate and delete old version, then upload and activate 4.7.4.
🔧 Temporary Workarounds
Deactivate Godam Plugin
allTemporarily disable the Godam plugin to prevent exploitation until patching is complete.
wp plugin deactivate godam
Restrict REST API Access
allAdd firewall rules to restrict unauthenticated access to WordPress REST API endpoints.
🧯 If You Can't Patch
- Deactivate the rtMedia plugin or Godam plugin immediately
- Implement web application firewall rules to block suspicious REST API requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for rtMedia version. If version is between 4.7.0 and 4.7.3 and Godam plugin is active, the system is vulnerable.Check Version:
wp plugin get buddypress-media --field=versionVerify Fix Applied:
Verify rtMedia plugin version is 4.7.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API requests to media endpoints from unauthenticated users
- Access patterns to /wp-json/rtmedia/ endpoints without authentication
Network Indicators:
- HTTP GET requests to WordPress REST API media endpoints without authentication headers
SIEM Query:
source="wordpress.log" AND "wp-json/rtmedia" AND status=200 AND user="-"