BuddyPress 2.3.3 is now available. This is an important maintenance and security release for the 2.3 branch of code, and all BuddyPress installations are recommended to upgrade as soon as possible.
BuddyPress Messages, while off by default, is a component that’s frequently enabled to allow members to communicate privately with each other. A vulnerability was responsibly disclosed to the BuddyPress team that could allow members to manipulate a failed private outbound message and inject unexpected output to the browser. This vulnerability was reported by Krzysztof Katowicz-Kowalewski. The BuddyPress team independently discovered and fixed related vulnerabilities with the messages component that could allow for carefully crafted private message content to be rendered incorrectly to the browser.
This release also includes fixes for several other bugs introduced in the 2.3 series, and improves support for administration changes made in WordPress 4.3.
Update to BuddyPress 2.3.3 today in your WordPress Dashboard, or by downloading from the wordpress.org plugin repository.