BuddyPress 2.3.5 is now available.

This is a security release for all previous versions. All BuddyPress installations are strongly encouraged to upgrade immediately.

BuddyPress versions 2.3.4 and earlier are subject to a vulnerability that may allow privilege escalation for logged-in users. We have no evidence that this bug has ever been exploited in the wild, but we’re eager to make sure that it is not.

The vulnerability was discovered and reported by Slava Abakumov, and the fix was prepared by the BuddyPress team. Thanks to Slava for responsibly reporting the issue.

If your WordPress site supports automatic background updates, then your BuddyPress installation should update automatically, probably by the time you’ve read this blog post.

We always encourage users to run the latest version of BuddyPress. But for those sites that cannot update to the 2.3.x series for whatever reason, we’re simultaneously releasing version 2.0.4, 2.1.2, and 2.2.4, which include the fix for the vulnerability. You can download these packages manually from https://wordpress.org/plugins/buddypress/developers/.

Questions or comments? Stop by the buddypress.org support forums.