BuddyPress 11.3.1 is now available. This is a security and maintenance release. All BuddyPress installations should be updated as soon as possible.
The 11.3.1 release addresses the following security issue:
- A blind SQL Injection from unauthenticated users vulnerability was fixed in
BP_XProfile_Query->find_compatible_table_alias(). Discovered by Michael Mazzolini.
This vulnerability was reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.
BuddyPress 11.3.1 also fixes 3 bugs. For complete details, visit the 11.3.1 changelog.
You can get the latest version by clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.
If for a specific reason you can’t upgrade to 11.3.1, we have also ported the security fix to BuddyPress versions going all the way back to 5.0. Here’s the list of the available downloads for the corresponding tags, you can also find these links on our WordPress.org Plugin Directory “Advanced” page:
- If you are using BP 5.2.1 and can’t upgrade to 11.3.1, please upgrade to 5.2.2
- If you are using BP 6.4.2 and can’t upgrade to 11.3.1, please upgrade to 6.4.3
- If you are using BP 7.3.2 and can’t upgrade to 11.3.1, please upgrade to 7.3.3
- If you are using BP 8.0.2 and can’t upgrade to 11.3.1, please upgrade to 8.0.3
- If you are using BP 9.2.0 and can’t upgrade to 11.3.1, please upgrade to 9.2.1
- If you are using BP 10.6.0 and can’t upgrade to 11.3.1, please upgrade to 10.6.1
[…] BuddyPress 11.3.1 Security & Maintenance release […]
[…] discussed and scheduled at the end of the meeting, a minor release was published on August 24 to fix 3 bugs and a security issue. About the security issue we’ve decided to also build minor […]