PatchSiren cyber security CVE debrief
CVE-2026-15287 rtcamp CVE debrief
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to time-based SQL Injection via the order_by parameter in all versions up to, and including, 4.6.18. This vulnerability allows authenticated attackers, with subscriber access and above, to append additional SQL queries into existing queries, potentially leading to sensitive information extraction from the database.
- Vendor
- rtcamp
- Product
- rtMedia for WordPress, BuddyPress and bbPress
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the rtMedia for WordPress, BuddyPress and bbPress plugin, particularly those with subscriber access or higher, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The rtMedia for WordPress, BuddyPress and bbPress plugin is susceptible to time-based SQL Injection attacks due to insufficient escaping of the user-supplied order_by parameter and lack of adequate preparation of existing SQL queries. This vulnerability, rated with a CVSS score of 6.5 (MEDIUM severity), can be exploited by authenticated attackers with subscriber access or higher to inject additional SQL queries, potentially leading to unauthorized data extraction.
Defensive priority
Medium priority should be given to updating the rtMedia for WordPress, BuddyPress and bbPress plugin to a version beyond 4.6.18, as the vulnerability allows for potential data breaches through SQL Injection.
Recommended defensive actions
- Update the rtMedia for WordPress, BuddyPress and bbPress plugin to a version beyond 4.6.18.
- Implement web application firewalls (WAFs) to detect and prevent SQL Injection attacks.
- Monitor database activity for suspicious query patterns.
- Restrict access to sensitive database information.
- Regularly review and update access controls for the plugin.
Evidence notes
The CVE record was published on 2026-07-10T05:16:31.657Z and was last modified on 2026-07-10T19:17:20.527Z. The vulnerability details were provided by [email protected] and are associated with CWE-89. The NVD entry for this CVE is currently Deferred.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:31.657Z and has not been modified since then. The NVD entry is currently Deferred.