WP-Safety

BuddyPress Docs Security & Risk Analysis

wordpress.org/plugins/buddypress-docs

Adds collaborative Docs to BuddyPress.

7K active installs v2.2.7 PHP + WP 3.3+ Updated Mar 19, 2026
buddypresscollaborationdocsdocumentswiki
97
A · Safe
CVEs total3
Unpatched0
Last CVEJun 6, 2025
Plugin page Download
Safety Verdict

Is BuddyPress Docs Safe to Use in 2026?

Generally Safe

Score 97/100

BuddyPress Docs has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Jun 6, 2025Updated 2mo ago
Risk Assessment

The Buddypress-Docs v2.2.6 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL query sanitization and output escaping, with high percentages of both using prepared statements and proper escaping respectively. The presence of numerous nonce and capability checks also indicates an effort to secure its functionalities. However, a significant concern lies in its attack surface, with a substantial number of AJAX handlers (11 out of 13) lacking explicit authentication checks. This opens a considerable avenue for potential unauthorized actions if these handlers are exploitable.

The taint analysis, while limited to a few flows, did identify one flow with unsanitized paths, which, although not rated as critical or high, warrants attention. The vulnerability history reveals past issues including Authorization Bypass, Cross-site Scripting, and Improper Privilege Management, all at a medium severity. While there are currently no unpatched vulnerabilities, the pattern of past medium-severity issues suggests a need for ongoing vigilance and thorough code reviews to prevent future recurrences, particularly in areas related to authorization and input handling.

In conclusion, Buddypress-Docs v2.2.6 has strengths in secure coding practices for data handling and output. Nevertheless, the large number of unprotected AJAX endpoints presents a significant risk. The past vulnerability types also highlight areas that have historically required remediation. Further investigation into the identified unsanitized path flow and a robust strategy for securing AJAX endpoints are recommended to improve the plugin's overall security.

Key Concerns

  • Numerous unprotected AJAX handlers
  • Taint flow with unsanitized paths
  • Past medium severity vulnerabilities
Vulnerabilities
3 published

BuddyPress Docs Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-5526medium · 5.4Authorization Bypass Through User-Controlled Key

BuddyPress Docs <= 2.2.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Document Read/Update

Jun 6, 2025 Patched in 2.2.5 (34d)
CVE-2024-9207medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BuddyPress Docs <= 2.2.3 - Reflected Cross-Site Scripting

Oct 7, 2024 Patched in 2.2.4 (229d)
CVE-2017-6954medium · 4.3Improper Privilege Management

BuddyPress Docs <= 1.9.2 - Authorization Bypass

Mar 17, 2017 Patched in 1.9.3 (2503d)
Version History

BuddyPress Docs Release Timeline

v2.2.7Current
v2.2.6
v2.2.5
v2.2.41 CVE
CVE-2025-5526
v2.2.32 CVEs
CVE-2025-5526 CVE-2024-9207
v2.2.22 CVEs
CVE-2025-5526 CVE-2024-9207
v2.2.12 CVEs
CVE-2025-5526 CVE-2024-9207
v2.2.02 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.82 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.72 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.62 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.52 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.42 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.32 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.22 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.12 CVEs
CVE-2025-5526 CVE-2024-9207
v2.1.02 CVEs
CVE-2025-5526 CVE-2024-9207
v2.0.12 CVEs
CVE-2025-5526 CVE-2024-9207
v2.0.02 CVEs
CVE-2025-5526 CVE-2024-9207
v1.9.42 CVEs
CVE-2025-5526 CVE-2024-9207
Code Analysis
Analyzed Mar 16, 2026

BuddyPress Docs Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
26 prepared
Unescaped Output
48
576 escaped
Nonce Checks
20
Capability Checks
62
File Operations
3
External Requests
1
Bundled Libraries
2

Bundled Libraries

jQueryTinyMCE

SQL Query Safety

93% prepared28 total queries

Output Escaping

92% escaped624 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

9 flows1 with unsanitized paths
bp_docs_is_current_orderby_class (includes\templatetags.php:819)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

BuddyPress Docs Attack Surface

Entry Points14
Unprotected11

AJAX Handlers 13

authwp_ajax_bp_docs_update_foldersincludes\addon-folders.php:118
authwp_ajax_bp_docs_update_parent_foldersincludes\addon-folders.php:119
authwp_ajax_bp_docs_update_folder_typeincludes\addon-folders.php:120
authwp_ajax_bp_docs_update_folder_type_for_groupincludes\addon-folders.php:121
authwp_ajax_bp_docs_process_folder_dropincludes\addon-folders.php:122
authwp_ajax_bp_docs_get_folder_contentincludes\addon-folders.php:124
noprivwp_ajax_bp_docs_get_folder_contentincludes\addon-folders.php:125
authwp_ajax_refresh_access_settingsincludes\ajax-validation.php:17
authwp_ajax_refresh_associated_groupincludes\ajax-validation.php:26
authwp_ajax_doc_attachment_item_markupincludes\attachments-ajax.php:14
authwp_ajax_bp_docs_create_dummy_docincludes\attachments-ajax.php:30
authwp_ajax_remove_edit_lockincludes\edit-lock.php:282
authwp_ajax_add_edit_lockincludes\edit-lock.php:326

Shortcodes 1

[bp_docs_recent_docs] includes\shortcode.php:92
WordPress Hooks 225
actionplugins_loadedbp-docs.php:81
actionbp_docs_loadbp-docs.php:84
actionbp_docs_loadbp-docs.php:87
actionbp_docs_loadbp-docs.php:90
actionbp_docs_loadbp-docs.php:93
actionbp_initbp-docs.php:96
actionbp_docs_initbp-docs.php:99
actionbp_docs_initbp-docs.php:100
actionbp_docs_initbp-docs.php:103
actionbp_docs_initbp-docs.php:106
actiongenerate_rewrite_rulesbp-docs.php:109
actionparse_querybp-docs.php:112
actiontemplate_redirectbp-docs.php:115
actionadmin_initbp-docs.php:117
filterposts_requestbp-docs.php:626
filterthe_postsbp-docs.php:629
actionpre_get_postsincludes\access-query.php:182
actionpre_get_postsincludes\access-query.php:241
actionpre_get_commentsincludes\access-query.php:285
actionpre_get_postsincludes\access-query.php:377
actionpre_get_commentsincludes\access-query.php:406
actionsave_post_bp_docincludes\access-query.php:418
actiontrashed_postincludes\access-query.php:419
actionset_object_termsincludes\access-query.php:420
actioncomment_approved_includes\activity.php:101
actioncomment_postincludes\activity.php:117
actionbp_docs_doc_savedincludes\activity.php:237
actiontransition_post_statusincludes\activity.php:280
actionbp_register_activity_actionsincludes\activity.php:309
filterbp_activity_prefetch_object_dataincludes\activity.php:446
actionbp_screensincludes\activity.php:483
filterbp_activity_get_where_conditionsincludes\activity.php:578
filterbp_ass_send_activity_notification_for_userincludes\activity.php:595
filterass_digest_record_activity_allowincludes\activity.php:613
filterbp_ajax_querystringincludes\activity.php:707
filterbp_docs_post_args_before_saveincludes\addon-akismet.php:25
filterakismet_uaincludes\addon-akismet.php:161
actionbp_docs_enqueue_scriptsincludes\addon-folders.php:28
filterbp_docs_tax_queryincludes\addon-folders.php:91
filterbp_docs_map_meta_capsincludes\addon-folders.php:94
filterbp_docs_before_save_folder_selectionincludes\addon-folders.php:97
actionbp_docs_doc_breadcrumbsincludes\addon-folders.php:100
actionbp_docs_single_doc_metaincludes\addon-folders.php:103
actionbp_docs_before_tags_meta_boxincludes\addon-folders.php:107
actionbp_docs_after_saveincludes\addon-folders.php:110
actionbp_actionsincludes\addon-folders.php:113
actionbp_actionsincludes\addon-folders.php:114
actionbp_actionsincludes\addon-folders.php:115
filterbp_docs_directory_breadcrumbincludes\addon-folders.php:134
filterbp_docs_get_current_filtersincludes\addon-folders.php:137
actionbp_docs_directory_filter_attachments_formincludes\addon-folders.php:140
actionbp_docs_directory_filter_search_formincludes\addon-folders.php:141
filterbp_docs_info_header_messageincludes\addon-folders.php:144
actionbp_docs_directory_filter_taxonomy_beforeincludes\addon-folders.php:147
actionbp_docs_directory_filter_taxonomy_afterincludes\addon-folders.php:148
filterbp_docs_get_create_linkincludes\addon-folders.php:151
filterbp_docs_is_directory_view_filteredincludes\addon-folders.php:154
filterbp_docs_doc_row_classesincludes\addon-folders.php:157
filterbp_docs_get_tag_link_urlincludes\addon-folders.php:2244
actionsave_post_bp_docincludes\addon-folders.php:2593
actiontrashed_postincludes\addon-folders.php:2594
actionset_object_termsincludes\addon-folders.php:2595
actionpre_get_postsincludes\addon-folders.php:2632
actionsave_post_bp_docincludes\addon-folders.php:2723
actionbp_docs_after_saveincludes\addon-folders.php:2738
actiontrashed_postincludes\addon-folders.php:2751
actionbp_docs_doc_deletedincludes\addon-folders.php:2765
actionset_object_termsincludes\addon-folders.php:2792
actiondeleted_term_relationshipsincludes\addon-folders.php:2814
actionparse_queryincludes\addon-hierarchy.php:20
filterbp_docs_post_type_argsincludes\addon-hierarchy.php:23
filterbp_docs_get_parent_id_via_postincludes\addon-hierarchy.php:26
actionbp_docs_single_doc_metaincludes\addon-hierarchy.php:29
actionbp_docs_single_doc_metaincludes\addon-hierarchy.php:32
actionbp_docs_doc_deletedincludes\addon-hierarchy.php:35
actionbp_actionsincludes\addon-history.php:32
actionbp_actionsincludes\addon-history.php:33
actionbp_docs_header_tabsincludes\addon-history.php:458
actionbp_docs_initincludes\addon-moderation.php:27
filterdisplay_post_statesincludes\addon-moderation.php:29
filterbp_docs_initincludes\addon-taxonomy.php:37
filterbp_docs_initincludes\addon-taxonomy.php:40
filterbp_docs_prepare_terms_via_postincludes\addon-taxonomy.php:43
actionbp_docs_doc_savedincludes\addon-taxonomy.php:46
actionbp_docs_single_doc_metaincludes\addon-taxonomy.php:49
filterbp_docs_tax_queryincludes\addon-taxonomy.php:52
filterbp_docs_loop_additional_thincludes\addon-taxonomy.php:55
filterbp_docs_loop_additional_tdincludes\addon-taxonomy.php:56
filterbp_docs_info_header_messageincludes\addon-taxonomy.php:59
filterbp_docs_filter_typesincludes\addon-taxonomy.php:62
filterbp_docs_filter_sectionsincludes\addon-taxonomy.php:63
filterbp_docs_is_directory_view_filteredincludes\addon-taxonomy.php:66
filterbp_docs_handle_filtersincludes\addon-taxonomy.php:69
filterthe_contentincludes\addon-wikitext.php:11
actionwp_dashboard_setupincludes\admin.php:19
actionadmin_menuincludes\admin.php:23
actionadmin_menuincludes\admin.php:24
filterwp_insert_post_empty_contentincludes\attachments-ajax.php:22
actiontemplate_redirectincludes\attachments.php:27
filterredirect_canonicalincludes\attachments.php:28
actionsetup_themeincludes\attachments.php:29
actionbp_docs_doc_savedincludes\attachments.php:30
filterwp_handle_upload_prefilterincludes\attachments.php:31
actionwp_enqueue_scriptsincludes\attachments.php:32
filtermedia_view_settingsincludes\attachments.php:34
actionpre_get_postsincludes\attachments.php:36
actionpre_get_postsincludes\attachments.php:37
filterbp_docs_filter_typesincludes\attachments.php:40
filterbp_docs_filter_sectionsincludes\attachments.php:41
filterbp_docs_is_directory_view_filteredincludes\attachments.php:44
actionbp_actionsincludes\attachments.php:47
filtermap_meta_capincludes\attachments.php:50
actionadmin_initincludes\attachments.php:53
filterupload_dirincludes\attachments.php:64
actionpre_get_postsincludes\attachments.php:488
filtermap_meta_capincludes\attachments.php:724
actionadmin_noticesincludes\attachments.php:798
actionnetwork_admin_noticesincludes\attachments.php:799
filtermap_meta_capincludes\caps.php:133
actionwidgets_initincludes\class-wp-widget-recent-docs.php:23
actionbp_parse_queryincludes\component.php:132
actionbp_actionsincludes\component.php:134
actionbp_actionsincludes\component.php:140
actioncomment_post_redirectincludes\component.php:147
actionpre_comment_approvedincludes\component.php:150
filtercomments_templateincludes\component.php:154
filterpost_type_linkincludes\component.php:156
filtercomment_postincludes\component.php:159
filtercomments_openincludes\component.php:162
filterbp_docs_filter_typesincludes\component.php:165
filterbp_docs_filter_sectionsincludes\component.php:166
filterbp_docs_is_directory_view_filteredincludes\component.php:169
filterbp_core_get_directory_page_idsincludes\component.php:175
filterbp_activity_can_commentincludes\component.php:178
filterbp_get_the_body_classincludes\component.php:181
filterbp_docs_taxonomy_get_item_termsincludes\component.php:184
actionbp_docs_initincludes\component.php:186
actionwp_enqueue_scriptsincludes\component.php:187
actionwp_print_stylesincludes\component.php:188
actionbp_actionsincludes\component.php:191
filterbody_classincludes\component.php:194
actionbp_template_contentincludes\component.php:418
filterwp_check_post_lock_windowincludes\component.php:501
filterpre_option_comments_notifyincludes\component.php:781
filterheartbeat_receivedincludes\edit-lock.php:76
actionbp_actionsincludes\edit-lock.php:97
filterexcerpt_lengthincludes\formatting.php:27
filterterms_to_editincludes\formatting.php:50
filterwp_revisions_to_keepincludes\functions.php:1034
filterbp_active_componentsincludes\functions.php:1053
actionbp_before_member_plugin_templateincludes\functions.php:1055
actionbp_member_plugin_options_navincludes\functions.php:1065
filterwp_unique_post_slugincludes\functions.php:1216
filterbp_docs_get_item_typeincludes\integration-groups.php:38
filterbp_docs_get_current_viewincludes\integration-groups.php:39
filterbp_docs_this_doc_slugincludes\integration-groups.php:40
filterbp_docs_pre_query_argsincludes\integration-groups.php:41
actionbp_docs_filter_result_before_saveincludes\integration-groups.php:44
actionbp_docs_after_successful_saveincludes\integration-groups.php:45
filterbp_docs_taxonomy_get_item_termsincludes\integration-groups.php:48
filterbp_docs_user_canincludes\integration-groups.php:51
filterbp_docs_get_access_optionsincludes\integration-groups.php:54
filterbp_docs_activity_actionincludes\integration-groups.php:57
filterbp_docs_activity_argsincludes\integration-groups.php:58
filterbp_docs_comment_activity_actionincludes\integration-groups.php:59
filterbp_docs_hide_sitewideincludes\integration-groups.php:62
filterbp_docs_doc_savedincludes\integration-groups.php:65
filterbp_docs_doc_deletedincludes\integration-groups.php:66
filterbp_docs_loop_additional_thincludes\integration-groups.php:69
filterbp_docs_loop_additional_tdincludes\integration-groups.php:70
filterbp_docs_doc_action_linksincludes\integration-groups.php:73
filterbp_docs_page_links_base_urlincludes\integration-groups.php:76
filterbp_docs_after_saveincludes\integration-groups.php:79
filterbp_docs_before_doc_deleteincludes\integration-groups.php:80
filterwp_insert_commentincludes\integration-groups.php:81
filterbp_page_titleincludes\integration-groups.php:89
filterbp_docs_get_create_linkincludes\integration-groups.php:92
actionset_object_termsincludes\integration-groups.php:95
actionbp_actionsincludes\integration-groups.php:98
actiongroups_created_groupincludes\integration-groups.php:1084
actionbp_actionsincludes\integration-groups.php:1088
filterbp_docs_directory_breadcrumbincludes\integration-groups.php:1850
actionbp_docs_doc_breadcrumbsincludes\integration-groups.php:1909
filterbp_docs_map_meta_capsincludes\integration-groups.php:2100
filterbp_docs_get_item_typeincludes\integration-users.php:14
filterbp_docs_get_current_viewincludes\integration-users.php:15
filterbp_docs_this_doc_slugincludes\integration-users.php:16
actionwpincludes\integration-users.php:19
filterbp_docs_doc_savedincludes\integration-users.php:22
filterbp_docs_doc_deletedincludes\integration-users.php:23
filterbp_docs_taxonomy_get_item_termsincludes\integration-users.php:26
filterbp_docs_page_links_base_urlincludes\integration-users.php:29
actionbp_actionsincludes\integration-users.php:32
filterbp_docs_directory_breadcrumbincludes\integration-users.php:325
actionbp_docs_doc_breadcrumbsincludes\integration-users.php:367
actionbp_docs_loop_after_doc_excerptincludes\integration-users.php:384
filterposts_searchincludes\query-builder.php:229
actionpre_post_updateincludes\query-builder.php:484
actionbp_docs_before_doc_edit_contentincludes\templatetags-edit.php:124
filtermce_buttonsincludes\templatetags-edit.php:200
filtertiny_mce_before_initincludes\templatetags-edit.php:215
filtermce_external_pluginsincludes\templatetags-edit.php:238
filtermce_buttonsincludes\templatetags-edit.php:294
filtermce_buttons_3includes\templatetags-edit.php:312
filterbp_docs_info_header_messageincludes\templatetags.php:453
actionbp_member_plugin_options_navincludes\templatetags.php:1613
actionbp_docs_single_doc_header_fieldsincludes\templatetags.php:2065
filtertemplate_includeincludes\theme-bridge.php:66
filterbp_enqueue_assets_in_bp_pages_onlyincludes\theme-bridge.php:112
actionbp_setup_theme_compatincludes\theme-bridge.php:133
filterbp_get_template_stackincludes\theme-bridge.php:154
filterbp_get_buddypress_templateincludes\theme-bridge.php:156
filterbp_use_theme_compat_with_current_themeincludes\theme-bridge.php:158
actionbp_template_include_reset_dummy_post_dataincludes\theme-bridge.php:165
filterbp_replace_the_contentincludes\theme-bridge.php:166
filterbp_force_comment_statusincludes\theme-bridge.php:172
filterbp_force_comment_statusincludes\theme-bridge.php:175
filterbp_docs_allow_comment_sectionincludes\theme-bridge.php:178
actionbp_template_include_reset_dummy_post_dataincludes\theme-bridge.php:184
filterbp_replace_the_contentincludes\theme-bridge.php:185
actionbp_template_include_reset_dummy_post_dataincludes\theme-bridge.php:188
filterbp_replace_the_contentincludes\theme-bridge.php:189
filterget_block_templatesincludes\theme-bridge.php:433
actionadmin_noticesincludes\upgrade.php:31
actionbp_includeloader.php:48
Maintenance & Trust

BuddyPress Docs Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 19, 2026
PHP min version
Downloads324K

Community Trust

Rating88/100
Number of ratings35
Active installs7K
Alternatives

BuddyPress Docs Alternatives

Knowledge Base documentation & wiki plugin – BasePress Docs

Knowledge Base documentation & wiki plugin – BasePress Docs

basepress

A
95

Easily create & manage documentation. Reduce support tickets & scale your customer support workload. This simple plugin works with any theme.

2K 4 CVEs
Smart Docs

Smart Docs

smart-docs

B
77

Knowledge Base & Documentation Plugin for WordPress.

70 1 unpatched
Docs

Docs

docs

A
100

Create and share documents with WordPress!

50 No CVEs
BuddyPress Wiki Component

BuddyPress Wiki Component

bp-wiki

A
85

This plugin provides site and group based wiki functionality for a Buddypress installation.

10 No CVEs
orcas Responsive Wiki

orcas Responsive Wiki

orcas-responsive-wiki

A
85

Buddypress wiki where registered users in the frontend can edit the same document after each other.

10 No CVEs
Developer Profile

BuddyPress Docs Developer Profile

Boone Gorges

28 plugins · 11K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
1694 days
View full developer profile
Detection Fingerprints

How We Detect BuddyPress Docs

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/buddypress-docs/includes/css/folders.css/wp-content/plugins/buddypress-docs/includes/css-rtl/folders.css/wp-content/plugins/buddypress-docs/includes/js/folders.js/wp-content/plugins/buddypress-docs/lib/css/chosen/chosen.min.css/wp-content/plugins/buddypress-docs/lib/js/chosen/chosen.jquery.min.js
Script Paths
/wp-content/plugins/buddypress-docs/includes/js/folders.js
Version Parameters
buddypress-docs/includes/js/folders.js?ver=buddypress-docs/includes/css-rtl/folders.css?ver=buddypress-docs/includes/css/folders.css?ver=buddypress-docs/lib/css/chosen/chosen.min.css?ver=buddypress-docs/lib/js/chosen/chosen.jquery.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
bp-docs-foldersbp-docs-folder-itembp-docs-folder-tree
HTML Comments
<!-- It's on like Donkey Kong --><!-- BuddyPress Docs introduces a lot of overhead. Unless otherwise specified, don't load the plugin on subsites of an MS install --><!-- Folder functionality. --><!-- Constructor. -->+31 more
Data Attributes
data-bp-docs-folder-iddata-bp-docs-folder-namedata-bp-docs-folder-parent-id
JS Globals
BP_Docs_Folders
REST Endpoints
/wp-json/buddypress-docs/v1/folders
FAQ

Frequently Asked Questions about BuddyPress Docs