John James Jacoby, lead developer of bbPress, has released bbPress 2.5.9 to patch a security vulnerability, “bbPress 2.5.8 and below are susceptible to a cross-site-scripting vulnerability that’s due to the way users are linked to their profiles when they are mentioned in topics and replies,” Jacoby said.
Marc-Alexandre Montpas is credited for responsibly disclosing the vulnerability to the WordPress security team. The patch has already been applied to bbPress 2.6, which is currently in development. Users are advised to update their bbPress installations as soon as possible. Users who encounter issues updating to 2.5.9 can report them to the bbPress support forums.
This vulnerability was a bugger to fix correctly. Thanks for the coverage here, Jeff.