CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
Explanation of Vulnerability in Simple Terms
The rtMedia plugin for WordPress versions 4.7.0 through 4.7.3 fails to properly check user permissions before allowing access to certain functionality. An attacker on the network can read limited sensitive information without authentication, though the impact is restricted by the plugin's access controls. Update to a version newer than 4.7.3.
What an attacker can do
Read limited sensitive information from the site without logging in.
Potential impact on your site
Unauthenticated visitors may access restricted data, though exposure is limited to low-sensitivity information.
Conditions required to exploit
Network access to the site; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
