BuddyPress 2.8.2 is now available. This is a security release. We strongly encourage all BuddyPress sites to upgrade as soon as possible.
BuddyPress 2.8.1 and earlier versions were affected by the following three security issues:
- Cross-site request forgery (CSRF) in the XProfile administration Dashboard panel.
- Cross-site request forgery (CSRF) in a number of user-facing AJAX endpoints.
- Cross-site request forgery (CSRF) when dismissing a pending email change.
These vulnerabilities were reported privately by Ronnie Skansing. Our thanks to Ronnie for reporting security issues in accordance with WordPress’s security policies.