BuddyPress 14.2.1 is now available. This is a maintenance & security release. All BuddyPress installations should be updated as soon as possible.
The 14.2.1 release addresses the following security issue:
- The “Take Photo” feature (which uses the logged in user’s Webcam to capture their profile photo) was vulnerable to an authenticated (Subscriber+) directory traversal. Discovered by Domons from the Wordfence organization.
This vulnerability was reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.
14.2.1 also fixes 3 bugs introduced in 14.0.0:
- Groups: move the
invite_statusgroup meta check out of thegroups_join_group()function (see #9241). - Administration: use the components right labels into the BP site health info panel (see #9237)
- Administration: resolve Multiple Issues with the BP constants site health info panel (see #9245)
For complete details, visit the 14.2.1 changelog.
You can get the latest version by clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.
If for a specific reason you can’t upgrade to 14.2.1, we have also ported the security fix to BuddyPress versions going all the way back to branch 11.0. Here’s the list of the available downloads for the corresponding tags, you can also find these links on our WordPress.org Plugin Directory “Advanced” page:
- If you are using BP 11.x and can’t upgrade to 14.2.1, please upgrade to 11.4.3
- If you are using BP 12.x and can’t upgrade to 14.2.1, please upgrade to 12.5.2
