Buddy Press Vulnerability

BuddyPress is a popular open source social networking software package owned by Automattic since 2008 and used in many WordPress installations.


From Buddy Press page @ https://buddypress.org/2015/11/buddypress-2-3-5/

Web Promotions in Vermont


BuddyPress 2.3.5 is now available.

This is a security release for all previous versions. All BuddyPress installations are strongly encouraged to upgrade immediately.

BuddyPress versions 2.3.4 and earlier are subject to a vulnerability that may allow privilege escalation for logged-in users. We have no evidence that this bug has ever been exploited in the wild, but we’re eager to make sure that it is not.

The vulnerability was discovered and reported by Slava Abakumov, and the fix was prepared by the BuddyPress team. Thanks to Slava for responsibly reporting the issue.

If your WordPress site supports automatic background updates, then your BuddyPress installation should update automatically, probably by the time you’ve read this blog post.