BuddyPress.org

BuddyPress 4.4.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.

The 4.4.0 release addresses two security issues:

• A privilege escalation vulnerability was fixed that could allow user who is not a friend with another user to send him a group invite even though this “another user” has selected to restrict group invites from friends only (This is specific to the BP Nouveau template). Discovered by Yuvraj Dighe.
• An XSS vulnerability was fixed in the single Group’s RSS link meta for group names. Discovered by wxy7174.

These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporters for practicing coordinated disclosure.

BuddyPress 4.4.0 also fixes 2 bugs. For complete details, visit the 4.4.0 changelog.

BuddyPress 4.3.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.

The 4.3.0 release addresses nine security issues:

• A privilege escalation vulnerability was fixed that could allow users to “favorite” activity items to which they do not have read access. Discovered by Yuvraj Dighe.
• A privilege escalation vulnerability was fixed that could allow users to join non-public groups while using the Nouveau template pack. Discovered and reported independently by Yuvraj Dighe and Nam.Dinh.
• A privilege escalation vulnerability was fixed that could allow users to reply to activity items to which they do not have read access. Discovered by Yuvraj Dighe.
• A privilege escalation vulnerability was fixed that could allow users to view private message threads to which they do not have access while using the Nouveau template pack. Discovered by Yuvraj Dighe.
• An XSS vulnerability was fixed in the save routine for group names. Discovered by wxy7174.
• An XSS vulnerability was fixed in the content of activity items. Discovered by Yonatan Offek.
• A privilege escalation vulnerability was fixed that could allow unauthorized users to update certain group settings. Discovered by wxy7174.
• A privilege escalation vulnerability was fixed that could allow unauthorized users to view pending group invites. Discovered by Yuvraj Dighe.
• A privilege escalation vulnerability was fixed that could allow unauthorized users to delete pending group invitations. Discovered by Yuvraj Dighe.

These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporters for practicing coordinated disclosure.

BuddyPress 4.3.0 also fixes 3 bugs. For complete details, visit the 4.3.0 changelog.

To start a new decade of WordCamps in Paris (France), the Parisian organizing team has scheduled their first Contributor Day on April 24th, 2019.

BuddyPress 4.2.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.

The 4.2.0 release addresses two security issues:

• A cross-site scripting (XSS) vulnerability was fixed that could allow users to send malicious code in the content of private messages. Discovered and reported independently by Kieran Munday and Tim Coen.
• A privilege escalation vulnerability was fixed that could allow users to reply to unauthorized private message threads. Discovered by Kieran Munday.

These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporters for practicing coordinated disclosure.

BuddyPress 4.2.0 also fixes 4 bugs. For complete details, visit the 4.2.0 changelog.

Immediately available is BuddyPress 4.1.0. This maintenance release fixes 3 bugs related to last week’s 4.0.0 release, and is a recommended upgrade for all BuddyPress installations.

For complete details on the release, visit the 4.1.0 changelog.

BuddyPress 4.0.0 “Pequod” is now available!

A focus on data privacy and control

BuddyPress boasts a proud history of letting community members and managers control their data, independent of third-party, commercial entities. In this spirit, as well as the spirit of recent regulations like the EU’s General Data Protection Regulation (GDPR), Expanding on some of the tools introduced by WordPress in version 4.9.8, BuddyPress 4.0 introduces a suite of tools allowing users and site admins to manage member data and privacy.

Giving your users greater control over their data

The new “Export Data” Settings panel lets users request an export of all BuddyPress data they’ve created. BuddyPress integrates seamlessly with the data export functionality introduced in WordPress 4.9.8, and BP data is included in exports that are initiated either from the Export Data panel or via WP’s Tools > Export Personal Data interface.

BuddyPress 4.0 also integrates with WordPress 4.9.8’s Privacy Policy tools. When you create or update your Privacy Policy, BP will suggest text that’s specifically tailored to the kinds of social data generated on a BuddyPress site. And will prompt registering users to agree to the Privacy Policy, if your theme supports it.

We’ve also done a complete review of BuddyPress’s cookie behavior, and dramatically reduced the number of cookies needed to browse a BP-powered site – especially for logged-out users. We’re confident that this change will help site owners comply with local privacy regulations.

Nouveau and other improvements

The BuddyPress team has been hard at work improving the Nouveau template pack introduced in BuddyPress 4.0. We’ve improved accessibility, extensibility, and responsiveness on mobile devices.

BuddyPress 4.0 also contains a number of internal improvements that improve compatibility with various version of PHP, fix formatting and content issues when sending emails, and address some backward-compatibility concerns.

Mille grazie

As usual, this BuddyPress release is only possible thanks to the contributions of the community. Special thanks to the following folks who contributed code and testing to the release: Alex Concha (xknown), Ankit K Gupta (ankit-k-gupta), Boone B Gorges (boonebgorges), Brajesh Singh (sbrajesh), Brian Cruikshank (brianbws), Christian Wach (needle), Dinesh Kesarwani (cyberwani), dipeshkakadiya, drywallbmb, dullowl, Eric (eric01), Garrett Hyder (garrett-eclipse), Harshal Limaye (harshall), Hugo (hnla), John James Jacoby (johnjamesjacoby), Marcella (marcella1981), Mathieu Viet (imath), mercime, MorgunovVit, n0barcode, paresh.radadiya (pareshradadiya), Paul Gibbs (DJPaul), Pooja N Muchandikar (pooja1210), r-a-y, Renato Alves (espellcaste), RT77, Ryan Williams (cyclic), Samuel Elh (elhardoum), shubh14, spdustin, suvikki, Stephen Edgar (netweb), thejimmy, vapvarun, Wbcom Designs (wbcomdesigns), Yahil Madakiya (yahil)

This version of BuddyPress is code-named “Pequod” after the famous Pequod’s Pizza in Chicago, where the crust really is caramelized, and the dish really is deep. Buon gusto!

Keep on truckin’

Questions or comments about the release? Visit the buddypress.org support forums, or open a ticket on our bugtracker.

BP 4.0.0 Release Candidate 1 is now available. This package contains the code that we think we’ll ship as BuddyPress 4.0.0 later in November. If you build BuddyPress plugins or themes, you’re encouraged to give the RC a thorough look in a test environment.

Important changes in 4.0.0 include:

• BuddyPress data exporters (for WP 4.9.6+), including a new ‘Export Data’ Settings subtab, where users can request an export from the front end
• Integration into the WordPress privacy policy system (for WP 4.9.6+)
• Improvements to Nouveau and other BP interfaces on mobile devices
• Bug fixes for emails, Nouveau, BP’s nav tools
• Improved compatibility with WP 4.9.x and 5.0

See the 4.0.0 milestone for more info.

Download the 4.0.0 release candidate from wordpress.org: https://downloads.wordpress.org/plugin/buddypress.4.0.0-RC1.zip. As always, remember that this is pre-release software, and we don’t recommend running it on a production site.

BuddyPress 3.2.0 is now available. This is a maintenance release that fixes 25 bugs and is a recommended upgrade for all BuddyPress installations.

Update to BuddyPress 3.2.0 today in your WordPress Dashboard, or by downloading from the wordpress.org plugin repository. For details on the changes, read the 3.2.0 release notes.

BuddyPress 3.1.0 is now available. This is a maintenance release that fixes 23 bugs and is a recommended upgrade for all BuddyPress installations.

For more information, see the 3.1.0 milestone on BuddyPress Trac.

Update to BuddyPress 3.1.0 today in your WordPress Dashboard, or by downloading from the wordpress.org plugin repository.

Questions or comments? Check out the 3.1.0 changelog, or stop by our support forums or Trac.

BuddyPress 3.0.0 “Apollo” is now available for immediate download from the WordPress.org plugin repository, or right from your WordPress Dashboard. “Apollo” focuses on various improvement for developers, site builders and site managers.

Say hello to “Nouveau”!

A bold reimagining of our legacy templates, Nouveau is our celebration of 10 years of BuddyPress! Nouveau delivers modern markup with fresh JavaScript-powered templates, and full integration with WordPress’ Customizer, allowing more out-of-the-box control of your BuddyPress content than ever before.

Nouveau provides vertical and horizontal layout options for BuddyPress navigation, and for the component directories, you can choose between a grid layout, and a classic flat list.

Nouveau is fully compatible with WordPress. Existing BuddyPress themes have been written for our legacy template pack, and until they are updated, resolve any compatibility issues by choosing the legacy template pack option in Settings > BuddyPress.

Support for WP-CLI

WP-CLI is the command-line interface for WordPress. You can update plugins, configure multisite installs, and much more, without using a web browser. With this version of BuddyPress, you can now manage your BuddyPress content from WP-CLI.

Control site-wide notices from your dashboard

Site Notices are a feature within the Private Messaging component that allows community managers to share important messages with all members of their community. With Nouveau, the management interface for Site Notices has been removed from the front-end theme templates.

Explore the new management interface at Users > Site Notices.

New profile field type: telephone numbers

A new telephone number field type has been added to the Extended Profiles component, with support for all international number formats. With a modern web browser, your members can use this field type to touch-to-dial a number directly.

BuddyPress: leaner, faster, stronger

With every BuddyPress version, we strive to make performance improvements alongside new features and fixes; this version is no exception. Memory use has been optimised — within active components, we now only load each individual code file when it’s needed, not before.

Most notably, the Legacy Forums component has been removed after 9 years of service. If your site was using Legacy Forums, you need to migrate to the bbPress plugin.

Make mine Apollo’s

In north-east London, Stoke Newington — or Stokey, as it’s affectionately known — is an area awash with newly-opening restaurants, amidst lapping waves of encroaching gentrification. Apollo’s is an authentically Neapolitan pizza place on the High Street, serving fantastically tasty yet uncomplicated pizzas. If you ever find yourself in north London, don’t miss Apollo’s!