CVE-2025-9218
Published
CVSS v3
3.7
LOW
CVSS v2
N/A
Affected
1
PROJECT
Description
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
<p>rtMedia is the <strong>only</strong> complete media solution for WordPress, BuddyPress and bbPress, and is <strong>WordPress.com VIP</strong> compatible.</p>
<p>Built with a mobile-first approach, it works on mobile/tablet devices (like iPhone/iPad, Android).</p>
<h4>Live Demos</h4>
<p>If you’re in a hurry, you can skip the long list of features in subsequent sections and just explore live demos!</p>
<ul>
<li><a href="http://demo.rtmedia.io" rel="nofollow ugc">rtMedia Demo</a></li>
</ul>
<h4>Video Tour</h4>
<p>Since rtMedia has many features video doesn’t include all features:</p>
<p><span class="embed-youtube" style="text-align:center; display: block;"><iframe loading="lazy" class="youtube-player" width="750" height="422" src="https://www.youtube.com/embed/dJrykKQGDcs?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent" allowfullscreen="true" style="border:0;" sandbox="allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox"></iframe></span></p>
<h4>rtMedia Features</h4>
<ol>
<li><strong>WordPress Integration</strong> – Display media on WordPress author pages ( eg: http://demo.rtmedia.io/author/admin/media/ )</li>
<li><strong>BuddyPress Integration</strong> – Find a new media tab under BuddyPress Profiles & Groups.</li>
<li><strong>BuddyPress Activity Stream</strong> – Attach media to activity status updates just like Facebook.</li>
<li><strong>Albums</strong> – Organise media into manageable collections. BuddyPress Group albums support collaboration.</li>
<li><strong>Responsive</strong> – Album Slideshow (Lightbox), video player, uploads work on mobiles & tablets. Support for swipe gestures.</li>
<li><strong>Privacy</strong> – Control who can see media files, albums and BuddyPress activities.</li>
<li><strong>Templating system</strong> – Completely customise rtMedia by modifying the template files. Just copy over the template folder to your theme.</li>
<li><strong><a href="https://rtmedia.io/docs/developers/featured-media/?utm_source=readme&utm_medium=plugin&utm_campaign=buddypress-media" title="Featured Media documentation" rel="nofollow ugc">Featured Media</a></strong> – This can be used for facebook-style cover photo on profiles.</li>
<li><strong><a href="https://rtmedia.io/docs/features/upload/?utm_source=readme&utm_medium=plugin&utm_campaign=buddypress-media" title="rtMedia Uploader" rel="nofollow ugc">rtMedia Uploader</a></strong> – Use <code>[rtmedia_uploader]</code> shortcode or <code><?php rtmedia_uploader() ?></code> template tag, to show drag-n-drop uploader in any WordPress area (post, page, custom-post, etc).</li>
<li><strong><a href="https://rtmedia.io/docs/features/gallery/?utm_source=readme&utm_medium=plugin&utm_campaign=buddypress-media" title="rtMedia Gallery" rel="nofollow ugc">rtMedia Gallery</a></strong> – Display media gallery anywhere on your site using <code>[rtmedia_gallery]</code> shortcode or <code><?php rtmedia_gallery ?></code> template tag.</li>
<li><strong><a href="https://rtmedia.io/docs/features/upload-terms/" title="Upload Terms" rel="nofollow ugc">Upload-Terms</a></strong> – This feature is useful to set terms of services page on website during user upload media on website.</li>
</ol>
<h4>Audio/Video Conversion</h4>
<p>You can use the <a href="https://wordpress.org/plugins/godam/" rel="ugc">GoDAM Plugin</a> for Audio/Video transcoding.</p>
<h4>rtMedia Premium Features</h4>
<ol>
<li><strong><a href="https://rtmedia.io/photo-filters/" title="rtMedia Instagram Feature" rel="nofollow ugc">Instagram-Effects</a></strong> – Users can apply Instagram like filters to photos.</li>
<li><strong><a href="https://rtmedia.io/photo-tagging/" title="rtMedia Photo-Tagging Feature" rel="nofollow ugc">Photo-Tagging</a></strong> – Users can tag their friends/other users in photos.</li>
<li><strong><a href="https://rtmedia.io/photo-watermark/" title="rtMedia Photo Watermark Feature" rel="nofollow ugc">Photo-Watermark</a></strong> – rtMedia Photo Watermark feature let you watermarked or copyright your uploaded photos.)</li>
<li><strong><a href="https://rtmedia.io/membership/" title="rtMedia Membership" rel="nofollow ugc">Membership</a></strong> – It provides membership functionality in your site.</li>
<li><strong><a href="https://rtmedia.io/social-sync/" title="rtMedia Social Sync" rel="nofollow ugc">Social-Sync</a></strong> – It allows you to import media from your Facebook account.</li>
<li><strong><a href="https://rtmedia.io/mycred/" title="rtMedia myCRED" rel="nofollow ugc">myCRED-Points</a></strong> – It allows you to integrate rtMedia with myCRED and award virtual points for various rtMedia activities, like media upload, likes, deleted, albums creation, playlist, etc.</li>
<li><strong><a href="https://rtmedia.io/playlists/" title="rtMedia Playlists" rel="nofollow ugc">Playlists</a></strong> – This feature is used to create a playlist for uploaded music file with rtMedia.</li>
<li><strong><a href="https://rtmedia.io/favorites/" title="rtMedia Favorites" rel="nofollow ugc">Favorites</a></strong> – This feature allows users to create their own list of favorite media.</li>
<li><strong><a href="https://rtmedia.io/moderation/" title="rtMedia Moderation" rel="nofollow ugc">Moderation</a></strong> – This feature is for reporting media if user find offensive.</li>
<li><strong><a href="https://rtmedia.io/custom-attributes/" title="rtMedia Custom Attributes" rel="nofollow ugc">Custom-Attributes</a></strong> – This feature is for categorizing media using attributes defined by site owner when uploading.</li>
<li><strong><a href="https://rtmedia.io/docs-and-other-files/" title="rtMedia Docs and Other files" rel="nofollow ugc">Docs-and-Other-files</a></strong> – This feature allows uploading for doc, pdf and other file types such as zip, tar, etc.</li>
<li><strong><a href="https://rtmedia.io/default-albums/" title="rtMedia Default Albums" rel="nofollow ugc">Default-Albums</a></strong> – This feature allows the creation of multiple default albums for rtMedia uploads.</li>
<li><strong><a href="https://rtmedia.io/podcast-rss-and-atom-feeds/" title="rtMedia Podcast (RSS and Atom feeds)" rel="nofollow ugc">Podcast-Feed</a></strong> – Read rtMedia uploads from iTunes as well as any RSS feed-reader/podcasting software.</li>
<li><strong><a href="https://rtmedia.io/restrictions/" title="rtMedia Restrictions" rel="nofollow ugc">Restrictions</a></strong> – Site admin can set limits in terms of total size & file count.</li>
<li><strong><a href="https://rtmedia.io/bbpress-attachments/" title="rtMedia bbPress Attachments" rel="nofollow ugc">bbPress-Attachments</a></strong> – Attach media files to bbPress forum topics and replies.</li>
<li><strong><a href="https://rtmedia.io/wordpress-sitewide-gallery/" title="rtMedia WordPress Sitewide Gallery" rel="nofollow ugc">WordPress-Sitewide-Gallery</a></strong> – Site admin can create and upload media into WordPress album.</li>
<li><strong><a href="https://rtmedia.io/wordpress-comment-attachments/" title="rtMedia WordPress Comment Attachments" rel="nofollow ugc">WordPress-Comment-Attachments</a></strong> – Allow users to upload a media file in WordPress comment attachment box.</li>
<li><strong><a href="https://rtmedia.io/social-sharing/" title="rtMedia Social Sharing" rel="nofollow ugc">Social-Sharing</a></strong> – Share uploaded media on social network sites like Facebook, twitter, linkedin, Google+. This addon integrate with <a href="https://wordpress.org/plugins/rtsocial/?utm_source=readme&utm_medium=plugin&utm_campaign=buddypress-media" rel="ugc">rtSocial</a> plugin.</li>
<li><strong><a href="https://rtmedia.io/sidebar-widgets/" title="rtMedia Sidebar Widgets" rel="nofollow ugc">Sidebar-Widgets</a></strong> – This feature provide widgets to upload media and display gallery for rtMedia plugin.</li>
<li><strong><a href="https://rtmedia.io/5-star-ratings/" title="rtMedia 5 Star Ratings" rel="nofollow ugc">5-Star-Ratings</a></strong> – User can rate the media files from 1 to 5 star.</li>
<li><strong><a href="https://rtmedia.io/edit-mp3-info-id3-tags/" title="rtMedia - Edit Mp3 Info (ID3 Tags)" rel="nofollow ugc">Edit-Mp3-Info-(ID3 Tags)</a></strong> – Allow user to edit MP3 FIle Audio tags (ID 3 tags).</li>
<li><strong><a href="https://rtmedia.io/sorting/" title="rtMedia Sorting" rel="nofollow ugc">Sorting</a></strong> – Sort uploaded media based on file size, ascending/descending title, upload date of media.</li>
<li><strong><a href="https://rtmedia.io/bulk-edit/" title="rtMedia Bulk Edit" rel="nofollow ugc">Bulk-Edit</a></strong> – Allow users to move files from one album to another, change attributes, change privacy, delete files in bulk.</li>
<li><strong><a href="https://rtmedia.io/buddypress-profile-picture/" title="rtMedia BuddyPress Profile Picture" rel="nofollow ugc">BuddyPress-Profile-Picture</a></strong> – Allow users to set their profile picture from existing uploaded media file.</li>
<li><strong><a href="https://rtmedia.io/album-cover-art/" title="rtMedia Album Cover Art" rel="nofollow ugc">Album-Cover-Art</a></strong> – Allow users to set album cover from uploaded image.</li>
<li><strong><a href="https://rtmedia.io/direct-download-link/" title="rtMedia Direct Download Link" rel="nofollow ugc">Direct-Download-Link</a></strong> – This feature provide a download button for all the uploaded media.</li>
<li><strong><a href="https://rtmedia.io/upload-by-url/" title="rtMedia Upload by URL" rel="nofollow ugc">Upload-by-URL</a></strong> – Allow users to upload media using absolute URL.</li>
<li><strong><a href="https://rtmedia.io/likes/" title="rtMedia Likes" rel="nofollow ugc">Likes</a></strong> – This feature let you know who liked media. User can also see which media file he/she liked under user profile.</li>
<li><strong><a href="https://rtmedia.io/activity-url-preview/" title="rtMedia Activity URL Preview" rel="nofollow ugc">Activity-URL-Preview</a></strong> – This feature provides a preview of the URL that is shared and shows up on BuddyPress activity.</li>
<li><strong><a href="https://rtmedia.io/view-counter/" title="rtMedia View Counter" rel="nofollow ugc">View-Counter</a></strong> – Enable view count for all the uploaded media.</li>
<li><strong><a href="https://rtmedia.io/shortcode-generator/" title="rtMedia Shortcode Generator" rel="nofollow ugc">Shortcode-Generator</a></strong> – The shortcode generator button added in WordPress post and page editor for all the rtMedia shortcodes.</li>
<li><strong><a href="https://rtmedia.io/album-privacy/" title="rtMedia Album Privacy" rel="nofollow ugc">Album-Privacy</a></strong> – Set album privacy when user create new albums or edit album.</li>
<li><strong><a href="https://rtmedia.io/buddypress-group-media-control/" title="rtMedia BuddyPress Group Media Control" rel="nofollow ugc">BuddyPress-Group-Media-Control</a></strong> – Allow group owner to provide media upload feature for their group.</li>
<li><strong><a href="https://rtmedia.io/set-custom-thumbnail-for-audio-video/" title="rtMedia Set Custom Thumbnail for Audio/Video" rel="nofollow ugc">Set-Custom-Thumbnail-for-Audio/Video</a></strong> – Allow media owner to change the thumbnail of uploaded audio/video files.</li>
<li><strong><a href="https://rtmedia.io/seo-3/" title="rtMedia SEO" rel="nofollow ugc">rtMedia-SEO</a></strong> – Generate XML sitemap of all the public media files uploaded via rtMedia plugin, also compatible with <a href="https://wordpress.org/plugins/wordpress-seo/" title="Yoast SEO" rel="ugc">Yoast-SEO</a> plugin if you are already using on your site.</li>
</ol>
<h4>Important Links</h4>
<ul>
<li><a href="https://rtmedia.io/?utm_source=readme&utm_medium=plugin&utm_campaign=buddypress-media" title="Visit rtMedia's Project Homepage" rel="nofollow ugc">Project Homepage</a></li>
<li><a href="https://rtmedia.io/docs/?utm_source=readme&utm_medium=plugin&utm_campaign=buddypress-media" title="Visit rtMedia's Documentation page" rel="nofollow ugc">Documentation</a></li>
<li><a href="https://rtmedia.io/faq/?utm_source=readme&utm_medium=plugin&utm_campaign=buddypress-media" title="Visit rtMedia's FAQ page" rel="nofollow ugc">FAQ</a></li>
<li><a href="https://rtmedia.io/support/" title="Visit rtMedia's support page" rel="nofollow ugc">Support</a></li>
<li><a href="https://github.com/rtmediawp/rtMedia/" rel="nofollow ugc">GitHub</a> – Please mention your wordpress.org username when sending pull requests.</li>
</ul>
<h3>Sponsors</h3>
<ul>
<li><em><a href="https://profiles.wordpress.org/henrywright-1" rel="nofollow ugc">Henry Wright</a></em> has kindly sponsored the <em>Featured Media</em> feature.</li>
<li>优素映像 (Yousu Image) has sponsored the latest <em>Like</em> feature which doesn’t depend on BuddyPress, any more.</li>
<li>Richard Ellis has sponsored the profile picture along with the link back to the profile in the media pop ups.</li>
</ul>
<h3>Translation</h3>
<p>rtMedia includes full translation support. Head over to the translation project to contribute your translations. If you don’t see the language of your choice, let us know in the support forum, we’ll add it.</p>
<ul>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/nl/default" rel="nofollow ugc">Dutch</a> translation by [carry2web] (https://profiles.wordpress.org/carry2web)</li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/it/default" rel="nofollow ugc">Italian</a> translation by [Paolo]</li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/nl/default" rel="nofollow ugc">Dutch</a> translation by <a href="https://profiles.wordpress.org/rjpj" rel="nofollow ugc">rjpj</a></li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/pl/default" rel="nofollow ugc">Polish</a> translation by <a href="https://profiles.wordpress.org/polski_ziom" rel="nofollow ugc">Polski_Ziom</a></li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/es/default" rel="nofollow ugc">Spanish</a> translation by <a href="https://profiles.wordpress.org/naturalworldstm/" rel="nofollow ugc">Andrés Felipe</a> and [d3ne]</li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/sk/default" rel="nofollow ugc">Solvak</a> translation by <a href="https://profiles.wordpress.org/igid26" rel="nofollow ugc">igid26</a></li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/it/default" rel="nofollow ugc">Italian</a> translation by [Yukiko.Kawa]</li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/fa/default" rel="nofollow ugc">Persian</a> translation by <a href="https://profiles.wordpress.org/mahdiar/" rel="nofollow ugc">mahdiar</a></li>
<li><a href="https://rtmedia.io/translate/projects/rtmedia/de/default" rel="nofollow ugc">German</a> translation by [hannes.muc]</li>
</ul>
<p>(<strong>Note</strong>: Credits are given for translations that are at least 50% complete.)</p>
<h3>Credits</h3>
<p>rtMedia uses the following projects/sources for some functionality</p>
<ul>
<li><a href="http://mediaelementjs.com/" rel="nofollow ugc">MediaElement.js</a> for html5 audio/video player</li>
<li><a href="http://dimsemenov.com/plugins/magnific-popup/" rel="nofollow ugc">Magnific Popup</a> for responsive lightbox</li>
<li><a href="http://getid3.sourceforge.net/" rel="nofollow ugc">getID3</a> gets us some ID tags for the media</li>
<li><a href="http://foundation.zurb.com/" rel="nofollow ugc">Foundation</a> for the media grid and layout</li>
<li><a href="http://backbonejs.org/" rel="nofollow ugc">Backbone.js</a> for an MVC architecture for the frontend</li>
</ul>
WordPress Plugin Directory