BuddyPress 2.3.3 Patches Security Vulnerabilities in BuddyPress Messages Component

BuddyPress Featured ImageBuddyPress 2.3.3 is available and users are encouraged to update as soon as possible. A few security vulnerabilities were discovered in BuddyPress Messages, a core component that allows users to send and receive private messages.

A vulnerability was responsibly disclosed to the BuddyPress team that could allow members to manipulate a failed private outbound message and inject unexpected output to the browser. The vulnerability was reported by Krzysztof Katowicz-Kowalewski.

In addition to the first vulnerability, the BuddyPress core development team independently discovered and fixed related vulnerabilities with the messages component that could allow for carefully crafted private message content to be rendered incorrectly to the browser.

BuddyPress 2.3.3 also fixes a couple of bugs in the 2.3 codebase and improves support for backend changes made in WordPress 4.3. To protect your sites from these vulnerabilities, you should perform a full backup and update BuddyPress as soon as possible.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.


  1. Totally off-topic, but the reporter has a really nice name, Krzysztof Katowicz-Kowalewski!


  2. Off-topic too: where is Sarah? I haven’t seen any posts from her lately.


      1. Thank you Jeff. Apparently I don’t use Twitter very much. :-)


  3. That is the beauty of managed wordpress hosting, I do not have to do nothing. My web host will do that for me.


Comments are closed.