BuddyPress Docs < 2.2.5 – Subscriber+ Arbitrary Document Read/Update | CVE 2025-5526

Description

The plugin lacks proper access controls and allows a logged in user to view and download files belonging to another user

Proof of Concept

1. Configure a web browser to utilize an intercepting proxy such as Burp Suite.
2. Install the BuddyPress Documents plugin.
3. Authenticate to the application as a basic user, in this example “user1” is used. 
4. Navigate to the documents portion of the buddy press user by selecting the username in the top right corner then selecting “Documents”. Observe no documents are available. 
5. Select “Create New Document”.
6. Input the necessary information including an attachment. 
7. Modify the document permissions such that only the author has access. Then, select “Save”
8. Inspect the HTTP traffic and locate the save document request. Take note of the doc_id parameter and save it for later requests. In this example doc_id=337 was saved.
9. Navigate back the user1’s documents and observe a new document has been created 
10. In a new browser session authenticates a different standard user, in this example “user2” was used. Navigate to user1’s BuddyPress page, select “Documents” and observe no documents are available. 
11. As user2 create a new document. Observe no attachment is not added. 
12. Navigate to user2’s newly created document and select “Edit”
13. While intercepting, Make an arbitrary edit and save the document.
14. Modify the doc_id POST body parameter to the value saved from Step 8 as well as the view permissions set to “anyone”. Observe the application successfully resolve the request. 
15. As user2 navigate back to user1’s documents observe the previously privated document is now public. Also, note the document’s subject and body has been changed to that to the doc%5Btitle%5D and doc_content from user2’s edit. 
16. Select the document, then select the attachment. 
17. Observe the document’s attachment can now be accessed. 
18. Select “History” and observe user2 has modified user1’s document