Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Subscriber-level authentication required (PR:L) for a network-reachable WordPress endpoint with no confidentiality or availability consequences, only integrity impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress <= 4.7.9 versions.
AnalysisAI
Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress (versions <= 4.7.9) permits low-privileged authenticated users at the subscriber level to invoke privileged plugin functionality without authorization, yielding high integrity impact. The CVSS vector (PR:L, I:H, AV:N, AC:L, UI:N) confirms that any logged-in subscriber can exploit this remotely without complexity or user interaction, making sites with open user registration particularly exposed. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), meaning the plugin performs privileged operations - likely media upload, deletion, or metadata modification tied to BuddyPress profiles or bbPress forum threads - without verifying the caller's WordPress role or capability. WordPress's subscriber role is the lowest authenticated user tier, granting no content management privileges by default. The rtMedia plugin by rtCamp Inc. extends WordPress with media management for the BuddyPress social layer and bbPress forum system; its action handlers apparently lack wp_verify_nonce or current_user_can() capability checks before executing sensitive operations. The affected CPE is cpe:2.3:a:rtcamp_inc.:rtmedia_for_wordpress,_buddypress_and_bbpress:*:*:*:*:*:*:*:* for all versions through 4.7.9, as confirmed by EUVD-2026-36982.
RemediationAI
Update the rtMedia for WordPress, BuddyPress and bbPress plugin to a version beyond 4.7.9 - the exact patched version number is not confirmed in the available input data; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/buddypress-media/vulnerability/wordpress-rtmedia-for-wordpress-buddypress-and-bbpress-plugin-4-7-9-broken-access-control-vulnerability and the WordPress plugin repository for the latest patched release. As an immediate compensating control, disable open user registration (Settings > General > uncheck 'Anyone can register') to eliminate the self-registration abuse vector, accepting the trade-off that no new public users can join the site. Alternatively, restrict subscriber access to media-related plugin endpoints via a Web Application Firewall rule targeting rtMedia AJAX actions if the plugin cannot be updated immediately. Site administrators should audit recent subscriber-level activity logs for unauthorized media modifications.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36982
GHSA-2j8m-7c2m-9c93