CVE-2025-9218 identifies a missing authorization vulnerability (CWE-862) in the rtMedia plugin versions 4.7.0 through 4.7.3 for WordPress, BuddyPress, and bbPress. The flaw exists specifically in the handle_rest_pre_dispatch() function, which fails to enforce proper authorization checks when the Godam plugin is active. This omission allows unauthenticated attackers to retrieve media items associated with draft or private posts, which are normally restricted. The vulnerability results in information disclosure limited to media content, without compromising data integrity or system availability. The CVSS 3.1 score is 3.7 (low), reflecting the network attack vector, high attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, and the impact is limited to confidentiality. No patches have been linked yet, and no exploits are known in the wild. The vulnerability is significant for sites using the affected plugin versions alongside the Godam plugin, especially where sensitive media is stored in non-public posts. The issue underscores the importance of authorization checks in REST API dispatch functions within WordPress plugins.

For European organizations, the primary impact is unauthorized disclosure of media content linked to draft or private posts on websites using the affected rtMedia plugin versions with the Godam plugin enabled. This could lead to exposure of sensitive images, videos, or other media that organizations intended to keep confidential, potentially harming privacy, brand reputation, or compliance with data protection regulations such as GDPR. Although the vulnerability does not allow modification or deletion of content, the leakage of private media can be exploited for social engineering or further reconnaissance by attackers. Organizations relying on WordPress-based community or social networking sites using BuddyPress or bbPress may be particularly vulnerable. The low severity and high attack complexity reduce the likelihood of widespread exploitation, but the risk remains for targeted attacks against high-value sites. The absence of known exploits suggests limited current threat activity, but the vulnerability should be addressed promptly to prevent future abuse.

1. Monitor for official patches from the rtMedia plugin vendor and apply updates immediately once available to ensure the authorization checks are properly implemented. 2. Until patches are released, consider disabling the Godam plugin if it is not essential, as its activation triggers the vulnerability. 3. Review and restrict access permissions on draft and private posts to minimize exposure of sensitive media. 4. Implement web application firewall (WAF) rules to detect and block suspicious REST API requests targeting the handle_rest_pre_dispatch() endpoint. 5. Conduct regular security audits of WordPress plugins, especially those handling media and REST API endpoints, to identify missing authorization or authentication controls. 6. Educate site administrators on the risks of enabling plugins that may interact in insecure ways and encourage minimal plugin usage. 7. Maintain comprehensive logging and monitoring of REST API access to detect unusual retrieval patterns of draft or private media items.