BuddyPress 5.2.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.

The 5.2.0 release addresses four security issue:

  • A vulnerability was fixed that could allow group moderators improper control over group membership via a REST API endpoint.
  • A vulnerability was fixed that could allow a CSRF attack related to xProfile field deletion links in the Dashboard.
  • A vulnerability was fixed that could allow users to delete group activity items belonging to groups to which they don’t have administrative access.
  • A vulnerability was fixed that could allow site Editors or Authors improper edit access over items belonging to BuddyPress’s Email post type.

These vulnerabilities were reported privately to the BuddyPress team by Kien Hoang, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.

Version 5.2.0 also fixes five bugs, including compatibility updates for WordPress 5.4.

For complete details, visit the 5.2.0 changelog.

Update to BuddyPress 5.2.0 today in your WordPress Dashboard, or by downloading from the WordPress.org plugin repository.