BuddyPress 7.2.1 is now available. This is a security release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.

The 7.2.1 release addresses 5 security issues which were reported privately to the BuddyPress team by Kien Hoang, in accordance with WordPress’s security policies:

  • A vulnerability was fixed that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint.
  • A vulnerability was fixed that could allow a member to force a friendship on behalf of another member, using the BuddyPress REST API buddypress/v1/friends endpoint.
  • A vulnerability was fixed that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API buddypress/v1/messages endpoint.
  • A vulnerability was fixed that could allow a member to invite another member to join a group without being friends when that group restricted invites to friends only, using BuddyPress Nouveau and the BuddyPress REST API buddypress/v1/groups/invites endpoint.
  • A vulnerability was fixed that could allow a user that has just been demoted from an Administrator role to a Subscriber to add/edit/delete BuddyPress Member Types from the Administration screens introduced in the 7.0.0 release.

The BuddyPress Team also conducted a comprehensive security audit on all BuddyPress REST API endpoints, which led to:

  • Improving all permission methods to use a WP_Error object as the default return value.
  • Fixing unintended behavior allowing any member to edit their own Member Type.
  • Fixing unintended behavior that allowed any logged in member to list the members of a private group.

For an even deeper dive, visit the 7.2.1 changelog.

Our deepest gratitude goes out to Kien for practicing coordinated disclosure and being extremely patient while we worked through these issues.

Update to BuddyPress 7.2.1 today in your WordPress Dashboard, or by downloading from the WordPress.org plugin repository.