John James Jacoby, lead developer of bbPress, has released bbPress 2.5.10 to patch a security vulnerability in all previous versions of the 2.X branch. This release also contains security hardening improvements where user display names and avatars are commonly displayed together.
Jacoby notes that these changes affect bbPress only and don’t impact third-party themes or modifications to the bbPress template parts. A user by the name of psych0tr1a is credited with responsibly disclosing the vulnerability through the HackerOne program.
HackerOne is a bug/bounty program used by a number of large companies, including Automattic, that monetarily rewards users who responsibly disclose security vulnerabilities. Those who use bbPress are highly encouraged to update to 2.5.10 as soon as possible.