Improper Access Control in Buddypress core allows reply,delete any user's activity in other public group,which they don't join.
Step 1: Create two account A, B with two public groups Step 2: In group A-account A, create a new activity [id_A] Step 3: In group B-account B, create a new activity [id_B] Step 4: In group A-account A select reply/delete action, use proxy to capture this request Step 5: Change id_A by id_B Step 6: Done, you deleted or reply user's activity without joining group
Valid access control with their roles
PoC with video
Attacker without joining to group performs to reply,delete any activities without permission.