Access Control Flaw in BuddyPress Docs Plugin
CVE-2025-5526

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Buddypress Docs
Vendor: CVE Published:; 27 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-5526?

The BuddyPress Docs plugin for WordPress prior to version 2.2.5 is affected by an access control vulnerability that permits authenticated users to access and download private files belonging to other users. This security gap may expose sensitive information, allowing improper access to user data, highlighting the importance of implementing robust access controls within applications.

Affected Version(s)

BuddyPress Docs 0 < 2.2.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-5526 - Proof of Concept

References

https://wpscan.com/vulnerability/10196cd3-5bf7-4e40-a4f7-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 27, 2025
👾
Exploit known to exist
Jun 27, 2025
Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 3, 2025

Credit

Terrence Bosco

Alexus Bosco

Andrew Risorto

WPScan