Description
Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress <= 4.7.9 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Breaking access control rules in the rtMedia plugin for WordPress, BuddyPress and bbPress allows a subscriber-level user to view, edit, or delete media files beyond their authorized scope, directly compromising confidentiality, integrity, and potentially availability of user-generated content. The flaw is an instance of CWE‑862 and can lead to unauthorized disclosure or alteration of media assets. Attackers could expose sensitive media or remove valuable content, undermining user trust and platform reliability.

Affected Systems

The vulnerability affects installations of the rtMedia plugin from rtCamp Inc. running any version 4.7.9 or older on WordPress, BuddyPress, or bbPress sites. All sites using these legacy versions are susceptible, regardless of the number of users or the size of the media library.

Risk and Exploitability

With a CVSS score of 6.5, the issue rates as a moderate severity. The EPSS score is below 1%, indicating a very low probability that exploit code is actively used in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to hold a valid subscriber account, which can often be gained through social engineering or brute force, so the risk remains contingent on the attacker’s ability to obtain or create such credentials. Once authenticated, the attacker can leverage the broken access control to manipulate media, posing a significant threat to content integrity.

Generated by OpenCVE AI on June 18, 2026 at 00:57 UTC.

Remediation

Vendor Solution

Update the WordPress rtMedia for WordPress, BuddyPress and bbPress Plugin to the latest available version (at least 4.7.10).


OpenCVE Recommended Actions

  • Update the rtMedia plugin to version 4.7.10 or newer
  • Restart WordPress or clear caches to ensure the updated code takes effect
  • Monitor site logs for anomalous media access patterns and consider enabling detailed logging for media requests

Generated by OpenCVE AI on June 18, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Rtcamp
Rtcamp rtmedia For Wordpress, Buddypress And Bbpress
Wordpress
Wordpress wordpress
Vendors & Products Rtcamp
Rtcamp rtmedia For Wordpress, Buddypress And Bbpress
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress <= 4.7.9 versions.
Title WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.7.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Rtcamp Rtmedia For Wordpress, Buddypress And Bbpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T18:07:02.542Z

Reserved: 2026-04-15T09:20:36.793Z

Link: CVE-2026-40773

cve-icon Vulnrichment

Updated: 2026-06-16T18:06:46.928Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:49.990

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses