PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15287 rtcamp CVE debrief

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to time-based SQL Injection via the order_by parameter in all versions up to, and including, 4.6.18. This vulnerability allows authenticated attackers, with subscriber access and above, to append additional SQL queries into existing queries, potentially leading to sensitive information extraction from the database.

Vendor
rtcamp
Product
rtMedia for WordPress, BuddyPress and bbPress
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the rtMedia for WordPress, BuddyPress and bbPress plugin, particularly those with subscriber access or higher, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The rtMedia for WordPress, BuddyPress and bbPress plugin is susceptible to time-based SQL Injection attacks due to insufficient escaping of the user-supplied order_by parameter and lack of adequate preparation of existing SQL queries. This vulnerability, rated with a CVSS score of 6.5 (MEDIUM severity), can be exploited by authenticated attackers with subscriber access or higher to inject additional SQL queries, potentially leading to unauthorized data extraction.

Defensive priority

Medium priority should be given to updating the rtMedia for WordPress, BuddyPress and bbPress plugin to a version beyond 4.6.18, as the vulnerability allows for potential data breaches through SQL Injection.

Recommended defensive actions

  • Update the rtMedia for WordPress, BuddyPress and bbPress plugin to a version beyond 4.6.18.
  • Implement web application firewalls (WAFs) to detect and prevent SQL Injection attacks.
  • Monitor database activity for suspicious query patterns.
  • Restrict access to sensitive database information.
  • Regularly review and update access controls for the plugin.

Evidence notes

The CVE record was published on 2026-07-10T05:16:31.657Z and was last modified on 2026-07-10T19:17:20.527Z. The vulnerability details were provided by [email protected] and are associated with CWE-89. The NVD entry for this CVE is currently Deferred.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:31.657Z and has not been modified since then. The NVD entry is currently Deferred.