Vulnerabilities and security researches forbuddypress-media buddypress-media

Jun 07, 2024

CVE, Research URL: 486aa334-badc-4af2-abe0-77904d768b90
Home page URL: Security reports for rtMedia for WordPress, BuddyPress and bbPress
Application: rtMedia for WordPress, BuddyPress and bbPress
Date: -
Research Description: rtMedia for WordPress, BuddyPress and bbPress [buddypress-media] < 4.6.15 trMedia for WordPress <= 4.2 - Unspecified Issues Changelog for 4.2.1 mentions "Security issues pointed out by James Golovich", but could not find any reference on the author's blog
Affected versions: max 4.6.15.
Status: vulnerable

CVE, Research URL: CVE-2023-5931
Home page URL: Security reports for rtMedia for WordPress, BuddyPress and bbPress
Application: rtMedia for WordPress, BuddyPress and bbPress
Date: Dec 27, 2023
Research Description: The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g. subscribers) to upload arbitrary files such as PHP on the server
Affected versions: max 4.6.16.
Status: vulnerable

CVE, Research URL: CVE-2023-5939
Home page URL: Security reports for rtMedia for WordPress, BuddyPress and bbPress
Application: rtMedia for WordPress, BuddyPress and bbPress
Date: Dec 27, 2023
Research Description: The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 loads the contents of the import file in an unsafe manner, leading to remote code execution by privileged users.
Affected versions: max 4.6.15.
Status: vulnerable

CVE, Research URL: CVE-2024-3293
Home page URL: Security reports for rtMedia for WordPress, BuddyPress and bbPress
Application: rtMedia for WordPress, BuddyPress and bbPress
Date: Apr 23, 2024
Research Description: The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmedia_gallery shortcode in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 4.6.19.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-41951
Home page URL: Security reports for rtMedia for WordPress, BuddyPress and bbPress
Application: rtMedia for WordPress, BuddyPress and bbPress
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through 4.6.14.
Affected versions: max 4.6.15.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2026-25325
Home page URL: Security reports for rtMedia for WordPress, BuddyPress and bbPress
Application: rtMedia for WordPress, BuddyPress and bbPress
Date: Feb 19, 2026
Research Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8.
Affected versions: max 4.7.8.
Status: vulnerable