[JustinF]

We have discovered a critical security issue with bbpress that really needs an immediate fix.

Users submit sensitive information to us using PRIVATE posts – which works fine. However, these posts show as VISIBLE when using the built-in Forum search!

We had to remove the search function from our forum until this is fixed.

Quite honestly, I would expect this to be a #1 priority for fixing.

[JustinF]

Any update on this? (Or a response at least…)

[John James Jacoby]

What do you mean by “private posts”?

bbPress doesn’t enable private topics or replies out of the box. What little support it does have, still allows for administrators to search for and see any non-trashed topics or replies.

Are you using a third party plugin to enable this private posting functionality?

I don’t really see this as a security vulnerability, so much as you’re using bbPress in a neat way that isn’t quite finished for your needs yet.

If we need to add support for something that isn’t possible yet, we’re happy to do it. A little bit more information will be helpful so we can suss it out.

[John James Jacoby]

Any updates here?

[JustinF]

Hi John-

Sorry for the delay. The add-on I was referring to was this:

https://wordpress.org/plugins/bbpress-private-replies/

It appears it is not compatible with the current version of bbpress in that the replies that are marked as “private” are in fact viewable by users without Admin permissions if using the Search function.

I suspect Pippin would be the one to contact for this?

[John James Jacoby]

I suspect Pippin would be the one to contact for this?

Exactly correct.