BuddyPress 1.7.3 is now available. This is a security and maintenance release, and we urge all installations running BP 1.5 or later to upgrade immediately.

Version 1.7.3 includes fixes for the following:

  • A cross-site scripting vulnerability in the way that success/error messages are stored and then displayed
  • A bug that caused Set-Cookie headers to be sent inappropriately, causing problems for certain caching configurations

Complete details can be found in the 1.7.3 release notes.

Many thanks to Andrew Nacin for his responsible disclosure of the XSS issue to the BuddyPress team. As a reminder to the community: if you think you’ve found a security issue in BuddyPress, please practice proper disclosure procedure, and report issues directly to the BP development team (or to security [at] wordpress.org).

Download BuddyPress 1.7.3 from Dashboard > Updates, or from the wordpress.org plugin repository.