BuddyPress 7.3.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.
The 7.3.0 release addresses four security issues:
- A vulnerability was fixed that could allow a member to create a group on behalf of another member via a REST API endpoint.
- A vulnerability was fixed that could allow members to favorite any private/hidden activities they shouldn’t access to via a REST API endpoint.
- A vulnerability was fixed that could allow the creator of a group to still be able to update or delete it after being demoted as a regular member of it via a REST API endpoint.
- A vulnerability was fixed that could allow group’s banned members to remove themselves from the group and still be able to join it or request a membership to it via a REST API endpoint.
These vulnerabilities were reported privately to the BuddyPress team by Kien Hoang, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.
Version 7.3.0 also fixes a bug about our WP CLI Scaffold command.
For complete details, visit the 7.3.0 changelog.
Update to BuddyPress 7.3.0 today in your WordPress Dashboard, or by downloading from the WordPress.org plugin repository.
[…] 🗣 BuddyPress 7.3.0 stänger lite säkerhetshål, så uppdatera om du kör BuddyPress. […]
[…] If you haven’t upgraded yet, please do so. If you are using a clone of the BP REST or the WP CLI BuddyPress GitHub repositories, please do […]