CeSGO Dashboard 2.1.0

BuddyPress 14.4.0, BuddyPress 12.6.0, and BuddyPress 11.5.2 are all now available. This is a security release. Please update as soon as possible.

14.4.0, 12.6.0 & 11.5.1 fixed one bug and one security issue:

• The BP REST API signups endpoint could leak signup data, including user email addresses, because of a too-lenient lookup function. Thanks to Asim Alshaya for responsibly reporting this issue.
• Improve behavior of bp_email_unsubscribe_handler(). After the changes in the “Improve security of status update messages” changeset, non-logged-in users clicking an unsubscribe link received no feedback on the success of their action.

Note: 11.5.2 contains the same code changes as 11.5.1 but has been repackaged to hopefully resolve some SVN oddities.

For complete details, visit the 14.4.0 changelog.

Many thanks to our 14.4.0 contributors 

emaralive, jjj, r-a-y, vapvarun, and dcavins.

BuddyPress 14.3.4, BuddyPress 12.5.3, and BuddyPress 11.4.4 are all now available. This is a security release. Please update as soon as possible.

14.3.4, 12.5.3 & 11.4.4 fixed two bugs:

• Restrict bulk notification management to owner. Many thanks to Brian Mungah for responsibly reporting the problem.
• Improve security of status update messages. Many thanks to mikemyers for responsibly reporting the issue.

For complete details, visit the 14.3.4 changelog.

You can get the latest version by clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.

Many thanks to our 14.3.4 contributors 

emaralive, jjj, and dcavins.

BuddyPress 14.3.3 is now available. This is a maintenance release.

14.3.3 fixes a mistake made in the build process for 14.3.1 (and 14.3.2 attempted to fix, but didn’t completely fix the issue, so was never released).

14.3.1 fixed two bugs:

• WordPress 6.7 compatibility: WP 6.7 will throw notices for plugins that load their textdomain before ‘init’ (see #9247).
• BP Legacy Theme Pack: Make sure the bp_heartbeat property is included in the WP Heartbeat data object (see #9248).

For complete details, visit the 14.3.1 changelog.

You can get the latest version by clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.

Many thanks to our 14.3.3 contributors 

dreampixel, boonebgorges, emaralive & imath.

BuddyPress 14.3.1 is now available. This is a maintenance release.

14.3.1 fixes two bugs:

• WordPress 6.7 compatibility: WP 6.7 will throw notices for plugins that load their textdomain before ‘init’ (see #9247).
• BP Legacy Theme Pack: Make sure the bp_heartbeat property is included in the WP Heartbeat data object (see #9248).

For complete details, visit the 14.3.1 changelog.

You can get the latest version by clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.

Many thanks to our 14.3.1 contributors 

dreampixel, boonebgorges, emaralive & imath.

BuddyPress 14.2.1 is now available. This is a maintenance & security release. All BuddyPress installations should be updated as soon as possible.

The 14.2.1 release addresses the following security issue:

• The “Take Photo” feature (which uses the logged in user’s Webcam to capture their profile photo) was vulnerable to an authenticated (Subscriber+) directory traversal. Discovered by Domons from the Wordfence organization.

This vulnerability was reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.

14.2.1 also fixes 3 bugs introduced in 14.0.0:

• Groups: move the invite_status group meta check out of the groups_join_group() function (see #9241).
• Administration: use the components right labels into the BP site health info panel (see #9237)
• Administration: resolve Multiple Issues with the BP constants site health info panel (see #9245)

For complete details, visit the 14.2.1 changelog.

You can get the latest version by clicking on the above button, downloading it from the WordPress.org plugin directory or checking it out from our Subversion repository.

If for a specific reason you can’t upgrade to 14.2.1, we have also ported the security fix to BuddyPress versions going all the way back to branch 11.0. Here’s the list of the available downloads for the corresponding tags, you can also find these links on our WordPress.org Plugin Directory “Advanced” page:

• If you are using BP 11.x and can’t upgrade to 14.2.1, please upgrade to 11.4.3
• If you are using BP 12.x and can’t upgrade to 14.2.1, please upgrade to 12.5.2

Many thanks to 14.2.1 contributors 

vapvarun, boonebgorges, emaralive & imath.