CVE-2026-40773

Vulnerability

The rtMedia for WordPress, BuddyPress and bbPress plugin versions up to and including 4.7.9 contain a broken access control vulnerability. The plugin fails to properly enforce authorization, authentication, or nonce token checks on certain functions, allowing low-privileged or unauthenticated users to execute actions intended for higher-privileged roles. [1]

Exploitation

An attacker with a subscriber-level account (or potentially without any authentication) can exploit this flaw by sending crafted requests to vulnerable endpoints. No advanced network position is required beyond typical web access. The exact sequence involves accessing a function or endpoint that lacks proper permission verification, thereby bypassing access controls. [1]

Impact

Successful exploitation grants the attacker the ability to perform actions that should be restricted to higher-privileged users, such as administrators. This can lead to unauthorized access, modification, or deletion of media content, as well as potential changes to plugin settings. The confidentiality, integrity, and availability of the WordPress site may be compromised depending on the specific actions taken. [1]

Mitigation

The issue is resolved in version 4.7.10. Users must update the plugin to version 4.7.10 or later immediately. As of the publication date, no other workarounds are available, and Patchstack notes that no virtual patch can be assigned. The vulnerability is expected to be exploited in mass campaigns, so prompt updating is critical. [1]