BuddyPress 2.7.4 is now available, and is a security release & recommended upgrade for all BuddyPress installations. We’ve also ported the code changes in 2.7.4 to all branches back 2.0, and are pushing updates out for all installations where we are able to do so.
These releases include a fix to the BuddyPress core attachments API that could allow arbitrary file deletion on certain installation configurations.
This bug was responsibly disclosed to the WordPress security team (and the BuddyPress team) through the WordPress HackerOne Bounty Program by Sam Pizzey (mopman).
Both Boone & Paul worked together to fix this for all versions of BuddyPress that are currently in active use, and Stephen & Dion helped package and push these releases out.
Please update to these latest versions of BuddyPress today in your WordPress Dashboard, or by downloading from the wordpress.org plugin repository.