BuddyPress 7.2.1 is now available. This is a security release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.
The 7.2.1 release addresses 5 security issues which were reported privately to the BuddyPress team by Kien Hoang, in accordance with WordPress’s security policies:
- A vulnerability was fixed that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API
buddypress/v1/members/me
endpoint. - A vulnerability was fixed that could allow a member to force a friendship on behalf of another member, using the BuddyPress REST API
buddypress/v1/friends
endpoint. - A vulnerability was fixed that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API
buddypress/v1/messages
endpoint. - A vulnerability was fixed that could allow a member to invite another member to join a group without being friends when that group restricted invites to friends only, using BuddyPress Nouveau and the BuddyPress REST API
buddypress/v1/groups/invites
endpoint. - A vulnerability was fixed that could allow a user that has just been demoted from an Administrator role to a Subscriber to add/edit/delete BuddyPress Member Types from the Administration screens introduced in the 7.0.0 release.
The BuddyPress Team also conducted a comprehensive security audit on all BuddyPress REST API endpoints, which led to:
- Improving all permission methods to use a WP_Error object as the default return value.
- Fixing unintended behavior allowing any member to edit their own Member Type.
- Fixing unintended behavior that allowed any logged in member to list the members of a private group.
For an even deeper dive, visit the 7.2.1 changelog.
Our deepest gratitude goes out to Kien for practicing coordinated disclosure and being extremely patient while we worked through these issues.
Update to BuddyPress 7.2.1 today in your WordPress Dashboard, or by downloading from the WordPress.org plugin repository.
[…] 👉 https://buddypress.org/2021/03/buddypress-7-2-1-security-release/ […]
[…] We’ve been working hard on improving the security of BP REST API fixing some vulnerabilities. The BuddyPress 7.2.1 security release was published yesterday and we strongly encourage you to update your copy of BuddyPress, from […]
[…] ⚠️ BuddyPress 7.2.1 täpper till säkerhetshål, uppdatera! […]