bbPress 2.5.10 is out, and is a security release for all previous 2.x versions. 2.5.10 includes additional escaping on user display names in places where names & avatars are commonly displayed together.
These changes are internal to bbPress and do not affect any third-party themes or modifications to bbPress template parts. If you are using a third-party theme or template parts, you will inherit these fixes automatically.
If you’re using any version of bbPress 2.x and have not yet updated, please take a moment to update your bbPress installations to 2.5.10. If you’re using WordPress’s built-in updater, it should only take a click or two. If you need help, please reach out in our support forums and someone will be happy to assist you.
These fixes have also been ported over to 2.6, which we continue to run here at bbPress.org and BuddyPress.org.
Thank you to HackerOne user psych0tr1a for identifying (and responsibly disclosing) these findings to the WordPress security team, who worked to get 2.5.10 out within a few hours from when the original report came in.
Speaking of bbPress 2.6, we’re working on refactoring per-forum moderators now, and we’ll have a beta ready for everyone to try shortly!