Skip to main content

rtMedia WordPress Plugin CVE-2026-40773

| EUVDEUVD-2026-36982 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-2j8m-7c2m-9c93
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Subscriber-level authentication required (PR:L) for a network-reachable WordPress endpoint with no confidentiality or availability consequences, only integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 23:09 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
MEDIUM 6.5

DescriptionCVE.org

Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress <= 4.7.9 versions.

AnalysisAI

Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress (versions <= 4.7.9) permits low-privileged authenticated users at the subscriber level to invoke privileged plugin functionality without authorization, yielding high integrity impact. The CVSS vector (PR:L, I:H, AV:N, AC:L, UI:N) confirms that any logged-in subscriber can exploit this remotely without complexity or user interaction, making sites with open user registration particularly exposed. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-862 (Missing Authorization), meaning the plugin performs privileged operations - likely media upload, deletion, or metadata modification tied to BuddyPress profiles or bbPress forum threads - without verifying the caller's WordPress role or capability. WordPress's subscriber role is the lowest authenticated user tier, granting no content management privileges by default. The rtMedia plugin by rtCamp Inc. extends WordPress with media management for the BuddyPress social layer and bbPress forum system; its action handlers apparently lack wp_verify_nonce or current_user_can() capability checks before executing sensitive operations. The affected CPE is cpe:2.3:a:rtcamp_inc.:rtmedia_for_wordpress,_buddypress_and_bbpress:*:*:*:*:*:*:*:* for all versions through 4.7.9, as confirmed by EUVD-2026-36982.

RemediationAI

Update the rtMedia for WordPress, BuddyPress and bbPress plugin to a version beyond 4.7.9 - the exact patched version number is not confirmed in the available input data; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/buddypress-media/vulnerability/wordpress-rtmedia-for-wordpress-buddypress-and-bbpress-plugin-4-7-9-broken-access-control-vulnerability and the WordPress plugin repository for the latest patched release. As an immediate compensating control, disable open user registration (Settings > General > uncheck 'Anyone can register') to eliminate the self-registration abuse vector, accepting the trade-off that no new public users can join the site. Alternatively, restrict subscriber access to media-related plugin endpoints via a Web Application Firewall rule targeting rtMedia AJAX actions if the plugin cannot be updated immediately. Site administrators should audit recent subscriber-level activity logs for unauthorized media modifications.

Share

CVE-2026-40773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy