Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

The rtMedia plugin for WordPress, BuddyPress, and bbPress contains a flaw that allows unauthorized parties to retrieve sensitive information embedded in media objects. Classified as CWE‑497, the weakness demonstrates that private data can be accessed without the appropriate controls. An attacker who exploits this flaw could read information that should belong to other users, compromising confidentiality and potentially violating compliance obligations.

Affected Systems

All installations of rtMedia for WordPress, BuddyPress, and bbPress version 4.7.8 or earlier are vulnerable. This range covers every release of the plugin from its launch through the latest 4.7.8 release.

Risk and Exploitability

The vulnerability receives a CVSS score of 5.3, indicating moderate severity. The likelihood of exploitation is very low, with an EPSS estimate below 1 %. It is not recorded in the CISA KEV catalog. The description does not specify a precise attack path, but it may be exploitable by users who can submit crafted requests to the plugin, such as through direct URL manipulation or exposed form inputs that reveal media metadata.

Generated by OpenCVE AI on April 17, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the rtCamp vendor site or the WordPress plugin repository and apply the most recent rtMedia update that addresses the sensitive data exposure, ensuring the installed version is greater than 4.7.8.
  • If an update is not yet available or cannot be deployed immediately, temporarily disable the rtMedia plugin or remove its media endpoint routes to prevent exposure until a patched version is released.
  • Configure WordPress and the plugin’s settings to restrict access to media files and metadata, ensuring only authorized user roles can view or download media assets, and verify that direct URL access to embedded data is protected by appropriate permission checks.

Generated by OpenCVE AI on April 17, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rtcamp
Rtcamp rtmedia For Wordpress, Buddypress And Bbpress
Wordpress
Wordpress wordpress
Vendors & Products Rtcamp
Rtcamp rtmedia For Wordpress, Buddypress And Bbpress
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8.
Title WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.7.8 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Rtcamp Rtmedia For Wordpress, Buddypress And Bbpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:54.890Z

Reserved: 2026-02-02T12:52:29.366Z

Link: CVE-2026-25325

cve-icon Vulnrichment

Updated: 2026-02-19T21:27:34.424Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:17.053

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses