bbPress 2.5.9 Patches Cross-Site-Scripting Vulnerability

John James Jacoby, lead developer of bbPress, has released bbPress 2.5.9 to patch a security vulnerability, “bbPress 2.5.8 and below are susceptible to a cross-site-scripting vulnerability that’s due to the way users are linked to their profiles when they are mentioned in topics and replies,” Jacoby said.

Marc-Alexandre Montpas is credited for responsibly disclosing the vulnerability to the WordPress security team. The patch has already been applied to bbPress 2.6, which is currently in development. Users are advised to update their bbPress installations as soon as possible. Users who encounter issues updating to 2.5.9 can report them to the bbPress support forums.

9 Comments


  1. Buddypress has bbpress files included, though buddypress mentions installing bbpress yourself. I’ve removed buddypress for the time being since it was installed on inactive sites, but will this be a problem with buddypress too? The files included are obviously older.

    Report


    1. Without trying to be too cryptic, and without letting cats out of bags, a similar (but different) bug is being worked on right now for a few other projects, including non-WordPress ones that relied on a similar regular expression for identifying linkable usernames.

      The line between being informative and being responsible is a hard one to walk, but bbPress was the easiest to fix, so out it went.

      Report


      1. I understand, even the slightest hint at times gives the bad guys ideas. With the weirdest things I find in my server logs at times, I wish I understood the things hackers leave behind (things like \x97\xA9hghV\ as a small example and I feel I should know how to decode it).

        Gets frustrating when I want to utilize everything WP but every other week something security related stops me in my tracks, as I don’t want a new responsibility of putting user data at risk, even if having things in place that should keep the data safe.

        Report


  2. This vulnerability was a bugger to fix correctly

    “bugger” … “bug” … see what I did there, right? Tough crowd :-)

    On a completely serious note …

    Is there any timeline on fixing the issue where forum posts which require login access are included in the forum search results WITHOUT needing to log in?

    Report


    1. Do you know if there’s a trac ticket for this issue? If you can link me to it, I can respond there. If there isn’t one, let’s find a way to chat more about what the issue is and we can make a new issue together.

      The way you’ve described the issue, makes it sound like it’s by design: content within a private forum should stay as private as we can keep it. If there’s a bigger issue, let’s figure it out! :)

      Report


      1. Thanks for the quick reply :-)

        I just sent you a LinkedIn invite.

        I’m sure I read something somewhere (would have been several months ago now) that this was a known issue … and that it was part of the 2.8.x roadmap. Could be wrong though.

        I’d post an example here, but the irony would be too much :-)

        Report

Comments are closed.