BuddyPress 2.9.1 is now available. This is a security and maintenance release. We strongly encourage all BuddyPress sites to upgrade as soon as possible.

We fixed two regressions introduced in 2.9:

  • Groups: fix group description truncation length on group screen.
  • Profiles: fix avatar quality when requesting avatar sizes larger than the user’s uploaded avatar.

Importantly, BuddyPress 2.9.1 and earlier versions were affected by the following security issue:

  • Cross-site request forgery (CSRF) in the XProfile administration Dashboard panel.

These vulnerabilities were reported privately by Ronnie Skansing. Our thanks to Ronnie for reporting security issues in accordance with WordPress’ security policies.