CVE-2025-5526: 
WordPress vulnerability analysis and mitigation

The BuddyPress Docs WordPress plugin before version 2.2.5 contains a vulnerability related to improper access controls. This security issue was discovered and publicly disclosed on June 6, 2025, and was assigned CVE-2025-5526. The vulnerability affects the BuddyPress Docs plugin, a WordPress extension that enables document management functionality (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue and falls under the OWASP Top 10 category A5: Broken Access Control. It has been assigned CWE-639 and received a CVSS score of 4.3 (medium severity). The technical issue stems from insufficient access control mechanisms that fail to properly restrict document access and modification capabilities (WPScan).

When exploited, this vulnerability allows any authenticated user (Subscriber level or higher) to view and download files belonging to other users, even when those files are intended to be private. Additionally, attackers can modify document permissions and content, effectively bypassing the intended access controls (WPScan).

The vulnerability has been fixed in BuddyPress Docs version 2.2.5. Users are strongly advised to update to this version or later to protect against unauthorized access to documents (WPScan).