bbPress 2.5.4 is out. It fixes 6 bugs, the last of which is a security concern for all previous bbPress 2.x installations. If you’re using any version of bbPress 2.x and have been hesitating to upgrade, please consider doing so today. If you need help, please reach out in our support forums and someone will be happy to help.

The following bugs have been fixed in 2.5.4:

  • #2586 – Fix ‘Replies in each forum’ repair tool, to prevent breaking the reply position.
  • #2162 – Switch notification emails to send 1 email using Bcc headers VS one for each subscriber.
  • #2496 – Support slashes in slug settings, and improve sanitization of these fields.
  • #2518 – Improve handling of SSL assets when relying on theme compatibility.
  • #2588 – Fix bug when editing a reply that would pollute hierarchical replies in that topic.
  • #2610 – Properly handle escaping of displayed user fields and data when editing a user.

Thanks go out to Mazen Gamal Mesbah for identifying and responsibly disclosing the displayed user field vulnerability. I’m proud to say the bbPress team worked quickly to get 2.5.4 out just after the 24 hour mark of being notified, which for a volunteer team is pretty great.

For anyone keeping an eye on the development of 2.6, all of these fixes are already ported over, and we bumped the 2.6 release date back to the end of June to give us time to enjoy the fresh summer air.

Please accept our apologies for the late-Friday release, and do spend some time this weekend giving your bbPress installations some TLC with an update to 2.5.4.