BuddyPress 9.1.1 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.
The 9.1.1 release addresses three security issues:
- The activation key was included into the responses of the
create_item
method of BP REST API Signup controller. Discovered by Brajesh Singh. - An SQL Injection vulnerability was fixed in
BP_Notifications_Notification::get_order_by_sql()
. Discovered by David Cavins. - An SQL Injection vulnerability was fixed in
BP_Invitation::get_order_by_sql()
. Discovered by David Cavins.
These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporters for practicing coordinated disclosure.
BuddyPress 9.1.1 also fixes 3 bugs. For complete details, visit the 9.1.1 changelog.
You can get it clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.
If for a specific reason you can’t upgrade to 9.1.1, we also included the security fixes to our branches from 2.9 to 8.0. Here’s the list of the available downloads for the corresponding tags, you can also find on our WordPress.org Directory Advanced page:
- If you are using BP 2.9.4 and can’t upgrade to 9.1.1, please upgrade to 2.9.5.1
- If you are using BP 3.2.0 and can’t upgrade to 9.1.1, please upgrade to 3.2.1
- If you are using BP 4.4.0 and can’t upgrade to 9.1.1, please upgrade to 4.4.1
- If you are using BP 5.2.0 and can’t upgrade to 9.1.1, please upgrade to 5.2.1
- If you are using BP 6.4.0 and can’t upgrade to 9.1.1, please upgrade to 6.4.2
- If you are using BP 7.3.0 and can’t upgrade to 9.1.1, please upgrade to 7.3.2
- If you are using BP 8.0.0 and can’t upgrade to 9.1.1, please upgrade to 8.0.2