Medium severity4.3NVD Advisory· Published Mar 17, 2017· Updated May 13, 2026
CVE-2017-6954
CVE-2017-6954
Description
An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
buddypress/buddypressPackagist | < 1.9.3 | 1.9.3 |
Affected products
1Patches
175293ed4e5f3Improved permission check when processing a Doc save request.
1 file changed · +8 −0
includes/component.php+8 −0 modified@@ -381,6 +381,14 @@ function catch_page_load() { if ( !empty( $_POST['doc-edit-submit'] ) ) { + // Existing Docs have a more specific permission check. + $doc = bp_docs_get_current_doc(); + if ( $doc && ! current_user_can( 'bp_docs_edit', $doc->ID ) ) { + return; + } elseif ( ! $doc && ! current_user_can( 'bp_docs_create' ) ) { + return; + } + check_admin_referer( 'bp_docs_save' ); $this_doc = new BP_Docs_Query;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/boonebgorges/buddypress-docs/commit/75293ed4e5f31f04e54689bfe2c647e3e3f5e1a9nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-9wf6-88x4-6xvjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6954ghsaADVISORY
- wordpress.org/plugins/buddypress-docs/changelog/nvdRelease NotesThird Party Advisory
- www.securityfocus.com/bid/97238nvdWEB
- wordpress.org/plugins/buddypress-docs/changelogghsaWEB
News mentions
0No linked articles in our index yet.