BuddyPress.org

BuddyPress 12.4.1 is now available. This is a security release. All BuddyPress installations should be updated as soon as possible.

The 12.4.1 release addresses the following security issue:

• The dynamic Members, dynamic Friends & dynamic Groups blocks were vulnerable to a Stored Cross-Site Scripting. Discovered by Wesley (wcraft) from the Wordfence organization.

This vulnerability was impacting BuddyPress branches from 9.0 to 12.0. It was reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.

For complete details, visit the 12.4.1 changelog.

You can get the latest version by clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.

If for a specific reason you can’t upgrade to 12.4.1, we have also ported the security fix to BuddyPress versions going all the way back to branch 9.0. Here’s the list of the available downloads for the corresponding tags, you can also find these links on our WordPress.org Plugin Directory “Advanced” page:

• If you are using BP 9.x and can’t upgrade to 12.4.1, please upgrade to 9.2.3
• If you are using BP 10.x and can’t upgrade to 12.4.1, please upgrade to 10.6.3
• If you are using BP 11.x and can’t upgrade to 12.4.1, please upgrade to 11.4.1