BuddyPress 4.4.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.

The 4.4.0 release addresses two security issues:

  • A privilege escalation vulnerability was fixed that could allow user who is not a friend with another user to send him a group invite even though this “another user” has selected to restrict group invites from friends only (This is specific to the BP Nouveau template). Discovered by Yuvraj Dighe.
  • An XSS vulnerability was fixed in the single Group’s RSS link meta for group names. Discovered by wxy7174.

These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporters for practicing coordinated disclosure.

BuddyPress 4.4.0 also fixes 2 bugs. For complete details, visit the 4.4.0 changelog.