Skip to:
Content
Pages
Categories
Search
Top
Bottom

bbPress 2.5.10 – Security Release

Published on July 13th, 2016 by John James Jacoby

bbPress 2.5.10 is out, and is a security release for all previous 2.x versions. 2.5.10 includes additional escaping on user display names in places where names & avatars are commonly displayed together.

These changes are internal to bbPress and do not affect any third-party themes or modifications to bbPress template parts. If you are using a third-party theme or template parts, you will inherit these fixes automatically.

If you’re using any version of bbPress 2.x and have not yet updated, please take a moment to update your bbPress installations to 2.5.10. If you’re using WordPress’s built-in updater, it should only take a click or two. If you need help, please reach out in our support forums and someone will be happy to assist you.

These fixes have also been ported over to 2.6, which we continue to run here at bbPress.org and BuddyPress.org.

Thank you to HackerOne user psych0tr1a for identifying (and responsibly disclosing) these findings to the WordPress security team, who worked to get 2.5.10 out within a few hours from when the original report came in.


Speaking of bbPress 2.6, we’re working on refactoring per-forum moderators now, and we’ll have a beta ready for everyone to try shortly!

bbPress 2.5.9 – Security & Bugfix Release

Published on May 2nd, 2016 by John James Jacoby

bbPress 2.5.9 is out, and is a security release for all previous 2.x versions.

bbPress versions 2.5.8 and earlier are susceptible to a form of cross-site-scripting, due to the way users are linked to their profiles when they are mentioned in topics and replies.

If you’re using any version of bbPress 2.x and have not yet updated, please take a moment to update your bbPress installations to 2.5.9. If you’re using WordPress’s built-in updater, it should only take a click or two. If you need help, please reach out in our support forums and someone will be happy to assist you.

Thank you to Marc-Alexandre Montpas for identifying (and responsibly disclosing) his findings to the WordPress security team. Everyone involved worked diligently to get 2.5.9 out as quickly as possible.

These fixes have also been ported over to bbPress 2.6, which we continue to run here at bbPress.org and BuddyPress.org.

An update on bbPress 2.6

Published on March 30th, 2016 by John James Jacoby

Hi everyone!

The current major version of bbPress (2.5.x) has been going strong for about a year now, without any major blockages, problems, or breakage. If you helped make bbPress as great as it is, please pat yourself on the back… now.

Stephen and I have been steadily improving and readying the next major version (2.6) ever since releasing 2.5.0, and while many huge features and neat little improvements have already landed in the development version, there are 2 features that will likely get bumped to 2.7 so we can call 2.6 done:

  • bbPress as Post Comments
  • Forums as Taxonomies

These two features are fully architected and planned, but do not have enough progress in code for them to hold up the release of 2.6.

In the coming weeks, look forward to beta’s and RC’s of bbPress 2.6 without the two features mentioned above. For 2.7, we’ll likely focus *only* on those two features and nothing else.

Thanks for being patient, and passionate about bbPress. We love forums, and we love our users and fans! <3

2015 bbPress Survey Results

Published on September 9th, 2015 by @mercime

This report presents the results of the 2015 bbPress Survey held from May 28 – July 10, 2014. Two hundred thirteen participants from forty-one countries completed the survey. Thank you all.

Country Flags of the 2015 bbPress Survey Participants

Read more →

bbPress 2.5.8 – Security Release

Published on July 13th, 2015 by Stephen Edgar

bbPress 2.5.8 is out now, and it fixes several issues regarding user query parsing and hardening of ajax actions for logged out users for all previous bbPress 2.x installations. If you’re using any version of bbPress 2.x and have not yet updated, please do so right away. If you need help, please reach out in our support forums and someone will be happy to assist you.

These fixes have also been ported over to 2.6, which we continue to run here at bbPress.org and BuddyPress.org.

2015 bbPress Survey

Published on May 28th, 2015 by John James Jacoby

bbPress has come a long way since it’s early days. We want it to be the best community and support forum software solution around, and your opinions & feedback are critical to achieving that goal.

Last year, Mercime put together a survey that revealed many of the things you’d like bbPress to be, and this year we are doing it again, with questions poised to help the core team build a better bbPress.

You will find the survey embedded below.

Thank you, again, for sharing your opinions with us. We will post the results in about a month or so!

bbPress 2.5.7 – Security Release

Published on April 20th, 2015 by John James Jacoby

bbPress 2.5.7 is out now, and it fixes several issues regarding unescaped URL output for all previous bbPress 2.x installations. If you’re using any version of bbPress 2.x and have not yet updated, please do so right away. If you need help, please reach out in our support forums and someone will be happy to assist you.

The bbPress team worked closely with the WordPress core team and several other plugin authors to coordinate the release of 2.5.7 alongside other libraries with similar issues.

These fixes have also been ported over to 2.6, which we continue to run here at bbPress.org and BuddyPress.org.

bbPress 2.5.6 – Maintenance Release

Published on March 17th, 2015 by John James Jacoby

Because 2.5.5 was so good 2 weeks ago, we are releasing bbPress 2.5.6 tonight. It fixes 1 issue with subscription notification emails that was plaguing a few of our more sophisticated installations.

If you’re using any version of bbPress 2.x and have been hesitating to upgrade, please consider doing so today. If you need help, please reach out in our support forums and someone will help you get updated.

Thanks to netweb, DJPaul, and mordauk for their diligence in patching and prioritizing this issue.

bbPress 2.5.5 – Security Release

Published on March 6th, 2015 by John James Jacoby

bbPress 2.5.5 is out. It fixes 3 potential security issues for all previous bbPress 2.x installations. If you’re using any version of bbPress 2.x and have been hesitating to upgrade, please consider doing so today. If you need help, please reach out in our support forums and someone will be happy to help.

Thanks go out to J.D. Grimes for identifying and responsibly disclosing his findings. The bbPress team (once again) worked quickly to get 2.5.5 out in just over 24 hours of being notified.

Please accept our apologies (again) for the late-Friday release, and take a quick moment to give your bbPress installations a quick update to 2.5.5.

All of these fixes have been ported over to 2.6, and we’ll be releasing a beta real soon!

bbPress 2.5.4 – Security & Bugfix Release

Published on June 6th, 2014 by John James Jacoby

bbPress 2.5.4 is out. It fixes 6 bugs, the last of which is a security concern for all previous bbPress 2.x installations. If you’re using any version of bbPress 2.x and have been hesitating to upgrade, please consider doing so today. If you need help, please reach out in our support forums and someone will be happy to help.

The following bugs have been fixed in 2.5.4:

  • #2586 – Fix ‘Replies in each forum’ repair tool, to prevent breaking the reply position.
  • #2162 – Switch notification emails to send 1 email using Bcc headers VS one for each subscriber.
  • #2496 – Support slashes in slug settings, and improve sanitization of these fields.
  • #2518 – Improve handling of SSL assets when relying on theme compatibility.
  • #2588 – Fix bug when editing a reply that would pollute hierarchical replies in that topic.
  • #2610 – Properly handle escaping of displayed user fields and data when editing a user.

Thanks go out to Mazen Gamal Mesbah for identifying and responsibly disclosing the displayed user field vulnerability. I’m proud to say the bbPress team worked quickly to get 2.5.4 out just after the 24 hour mark of being notified, which for a volunteer team is pretty great.

For anyone keeping an eye on the development of 2.6, all of these fixes are already ported over, and we bumped the 2.6 release date back to the end of June to give us time to enjoy the fresh summer air.

Please accept our apologies for the late-Friday release, and do spend some time this weekend giving your bbPress installations some TLC with an update to 2.5.4.

Skip to toolbar