CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-5526: BuddyPress Docs < 2.2.5 - Subscriber+ Arbitrary Document Read/Update

Description

The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user

Classification

CVE ID: CVE-2025-5526

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key

Affected Products

Vendor: Unknown

Product: BuddyPress Docs

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.34% (scored less or equal to compared to others)

EPSS Date: 2025-07-16 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5526
https://wpscan.com/vulnerability/10196cd3-5bf7-4e40-a4f7-4ff2d34d516d/

Timeline

2025-06-27 07:40:15 UTC
CVE

BuddyPress Docs < 2.2.5 - Subscriber+ Arbitrary Document Read/Update