BuddyPress 2.9.3 is now available. This is a security and maintenance release. We strongly encourage all BuddyPress sites to upgrade as soon as possible.
The 2.9.3 release addresses two security issues:
- A dynamic template loading feature could be used in some cases for unauthorized file execution and directory traversal. Reported by James Golovich.
- Some permissions checks and path validations in the attachment deletion process were hardened. Reported by RIPSTech and Slava Abakumov of the BuddyPress security team.
These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to all reporters for practicing coordinated disclosure.
In addition, 2.9.3 includes a change that fixes the ability to install legacy bbPress 1.x forums. Please note that legacy forum support will be removed altogether in BuddyPress 3.0; see the announcement blog post for more details.