If you have a WordPress site with a bbPress-powered forum, you may want to set aside a few minutes this weekend to perform updates. bbPress 2.5.4 was released today with five bug fixes, including an important fix for a security vulnerability.
bbPress project lead John James Jacoby announced the release, crediting IT Security Reaseacher Mazen Gamal Mesbah for identifying and responsibly disclosing the displayed user field security issue. Mesbah has been instrumental in helping to identify multiple security bugs for Yahoo, Automattic, Mailchimp, Sony, Eventbrite, and was most recently honored in Microsoft’s security hall of fame.
The security fix in bbPress 2.5.4 adds proper escaping for displayed user fields and data when editing a user. Should you spend time updating over the weekend? Yes, if at all possible. The bbPress team recommends that you update your sites as soon as you can. While the update wasn’t announced as critical, bbPress contributors found the important enough to fix within 24 hours of being notified, a feat which Jacoby notes is quite impressive for an all-volunteer team.
The bbPress 2.6 release date has been pushed back to the end of June to allow contributors some more time to enjoy the summer. In the meantime, take a few minutes this weekend to update your bbPress sites to 2.5.4.