The BuddyPress development team has released BuddyPress 2.7.4 to address a security vulnerability that affects all versions back to 2.0.
According to John James Jacoby, lead developer of BuddyPress, “This version patches a vulnerability to the BuddyPress core attachments API that could allow arbitrary file deletion on certain installation configurations.”
The vulnerability was responsibly disclosed by Sam Pizzey through the HackerOne bounty program. Although Automattic primarily uses the service for its own products, they accept reports for open source projects such as WordPress and BuddyPress.
Boone Gorges and Paul Gibbs collaborated on a fix for all affected versions of BuddyPress while Stephen Edgar and Dion helped package the release. Those who use BuddyPress are highly encouraged to update as soon as possible to protect against this vulnerability. If you encounter any issues or need help, please create a post on the project’s support forums.