{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25325", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:29.366Z", "datePublished": "2026-02-19T08:26:56.293Z", "dateUpdated": "2026-04-28T16:14:54.890Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "buddypress-media", "product": "rtMedia for WordPress, BuddyPress and bbPress", "vendor": "rtCamp", "versions": [{"changes": [{"at": "4.7.9", "status": "unaffected"}], "lessThanOrEqual": "4.7.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:21.649Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.<p>This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.890Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/buddypress-media/vulnerability/wordpress-rtmedia-for-wordpress-buddypress-and-bbpress-plugin-4-7-8-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.7.8 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:27:43.286029Z", "id": "CVE-2026-25325", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:59:25.313Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25325", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:29.366Z", "datePublished": "2026-02-19T08:26:56.293Z", "dateUpdated": "2026-04-28T12:59:25.313Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "buddypress-media", "product": "rtMedia for WordPress, BuddyPress and bbPress", "vendor": "rtCamp", "versions": [{"changes": [{"at": "4.7.9", "status": "unaffected"}], "lessThanOrEqual": "4.7.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:39.813Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.<p>This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.054Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/buddypress-media/vulnerability/wordpress-rtmedia-for-wordpress-buddypress-and-bbpress-plugin-4-7-8-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.7.8 - Sensitive Data Exposure vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25325", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:27:43.286029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:27:34.424Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n sensible del sistema a una esfera de control no autorizada en rtCamp rtMedia para WordPress, BuddyPress y bbPress buddypress-media permite recuperar datos sensibles incrustados. Este problema afecta a rtMedia para WordPress, BuddyPress y bbPress: desde n/a hasta &lt;= 4.7.8."}], "id": "CVE-2026-25325", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:17.053", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/buddypress-media/vulnerability/wordpress-rtmedia-for-wordpress-buddypress-and-bbpress-plugin-4-7-8-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.7.8]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[4.7.9,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "rtMedia for WordPress, BuddyPress and bbPress", "source": "cna", "vendor": "rtCamp"}, "product": "rtmedia_for_wordpress,_buddypress_and_bbpress", "vendor": "rtcamp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T18:12:00.240994+00:00", "value": {"mitigation_remediation": ["Check the rtCamp vendor site or the WordPress plugin repository and apply the most recent rtMedia update that addresses the sensitive data exposure, ensuring the installed version is greater than 4.7.8.", "If an update is not yet available or cannot be deployed immediately, temporarily disable the rtMedia plugin or remove its media endpoint routes to prevent exposure until a patched version is released.", "Configure WordPress and the plugin\u2019s settings to restrict access to media files and metadata, ensuring only authorized user roles can view or download media assets, and verify that direct URL access to embedded data is protected by appropriate permission checks."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "All installations of rtMedia for WordPress, BuddyPress, and bbPress version 4.7.8 or earlier are vulnerable. This range covers every release of the plugin from its launch through the latest 4.7.8 release.", "description_and_impact": "The rtMedia plugin for WordPress, BuddyPress, and bbPress contains a flaw that allows unauthorized parties to retrieve sensitive information embedded in media objects. Classified as CWE\u2011497, the weakness demonstrates that private data can be accessed without the appropriate controls. An attacker who exploits this flaw could read information that should belong to other users, compromising confidentiality and potentially violating compliance obligations.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 5.3, indicating moderate severity. The likelihood of exploitation is very low, with an EPSS estimate below 1\u202f%. It is not recorded in the CISA KEV catalog. The description does not specify a precise attack path, but it may be exploitable by users who can submit crafted requests to the plugin, such as through direct URL manipulation or exposed form inputs that reveal media metadata."}}}}, "created": "2026-02-20T10:08:59.048057+00:00", "updated": "2026-04-17T18:15:26.780993+00:00", "vendors": ["rtcamp", "rtcamp$PRODUCT$rtmedia_for_wordpress,_buddypress_and_bbpress", "wordpress", "wordpress$PRODUCT$wordpress"]}