This topic is old – bbPress has not been hacked – there was an exploit for all of a day or two back in 0.8 that was quickly fixed.
What’s happening is that OTHER programs on the same account or server are being hacked and what they do is attach themselves to the bbPress templates though those other programs.
In over 4000 sites, I’ve only detected 8 XSS hacks so it’s obviously coming in through other programs and not directly (or the problem would be far more widespread).
(And by the way, if you keep getting hacked, that means your server has been compromised and need to be wiped and re-configured. Just re-installing the PHP programs won’t fix the issue if there is a a hidden backdoor elsewhere. )