bbPress 2.5.9 is out, and is a security release for all previous 2.x versions.

bbPress versions 2.5.8 and earlier are susceptible to a form of cross-site-scripting, due to the way users are linked to their profiles when they are mentioned in topics and replies.

If you’re using any version of bbPress 2.x and have not yet updated, please take a moment to update your bbPress installations to 2.5.9. If you’re using WordPress’s built-in updater, it should only take a click or two. If you need help, please reach out in our support forums and someone will be happy to assist you.

Thank you to Marc-Alexandre Montpas for identifying (and responsibly disclosing) his findings to the WordPress security team. Everyone involved worked diligently to get 2.5.9 out as quickly as possible.

These fixes have also been ported over to bbPress 2.6, which we continue to run here at bbPress.org and BuddyPress.org.