The bbPress development team has released bbPress 2.5.13. This release fixes a few bugs, most notably, it readds sanitization to anonymous user data that was accidentally removed in previous versions.
Those who allow anonymous users to create topics and replies on their forums are encouraged to update immediately.
“This feature is not widely used on public forums because spammers aggressively target these kinds of sites, but for communities that rely on this feature, please know you can safely upgrade to 2.5.13 without any issues,” John James Jacoby, lead developer of bbPress and BuddyPress, said.
As a reminder, beginning with bbPress 2.5.12, the minimum version of WordPress supported is 4.7. If you’re using an older version of WordPress, Jacoby recommends using or staying with bbPress 2.5.11.
bbPress 2.6 is still in the release candidate phase as developers iron out a few issues discovered on WordPress.org.
Users can download the latest version of bbPress from WordPress.org or browse to Dashboard > Updates, and upgrade from within WordPress.
Imprecise wording in the release announcement seems to have lead to confusion here. The release announcement states that the new version “adds some sanitization to anonymous user data that went missing from previous versions”, which could mean that it had existed before and then went missing or just that it was missing before. It looks like the latter, as when we looked in to this we didn’t find that the sanitization code added in 5.2.13 had been in previous versions of the plugin.
More important to note is that the sanitization added looks to just be duplicating sanitization that already exists in the code, which the developers seem to have overlooked. So those using older versions don’t look to be at risk. Though, as always, it is a good idea to keep your plugins up to date at all times.