+44 0330 223 3428
Call Us
+44 0330 223 3428

BuddyPress: BuddyPress 4.3.0 Security and Maintenance Release

BuddyPress: BuddyPress 4.3.0 Security and Maintenance Release

BuddyPress 4.3.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.

The 4.3.0 release addresses nine security issues:

  • A privilege escalation vulnerability was fixed that could allow users to “favorite” activity items to which they do not have read access. Discovered by Yuvraj Dighe.
  • A privilege escalation vulnerability was fixed that could allow users to join non-public groups while using the Nouveau template pack. Discovered and reported independently by Yuvraj Dighe and Nam.Dinh.
  • A privilege escalation vulnerability was fixed that could allow users to reply to activity items to which they do not have read access. Discovered by Yuvraj Dighe.
  • A privilege escalation vulnerability was fixed that could allow users to view private message threads to which they do not have access while using the Nouveau template pack. Discovered by Yuvraj Dighe.
  • An XSS vulnerability was fixed in the save routine for group names. Discovered by wxy7174.
  • An XSS vulnerability was fixed in the content of activity items. Discovered by Yonatan Offek.
  • A privilege escalation vulnerability was fixed that could allow unauthorized users to update certain group settings. Discovered by wxy7174.
  • A privilege escalation vulnerability was fixed that could allow unauthorized users to view pending group invites. Discovered by Yuvraj Dighe.
  • A privilege escalation vulnerability was fixed that could allow unauthorized users to delete pending group invitations. Discovered by Yuvraj Dighe.

These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporters for practicing coordinated disclosure.

BuddyPress 4.3.0 also fixes 3 bugs. For complete details, visit the 4.3.0 changelog.


BuddyPress 4.3.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible. The 4.3.0 release addresses nine security issues: A privilege escalation vulnerability was fixed that could allow users to “favorite” activity items to which they do not have read access. Discovered by Yuvraj Dighe.A privilege escalation vulnerability was fixed that could allow users to join non-public groups while using the Nouveau template pack. Discovered and reported independently by Yuvraj Dighe and Nam.Dinh.A privilege escalation vulnerability was fixed that could allow users to reply to activity items to which they do not have read access. Discovered by Yuvraj Dighe.A privilege escalation vulnerability was fixed that could allow users to view private message threads to which they do not have access while using the Nouveau template pack. Discovered by Yuvraj Dighe.An XSS vulnerability was fixed in the save routine for group names. Discovered by wxy7174.An XSS vulnerability was fixed in the content of activity items. Discovered by Yonatan Offek.A privilege escalation vulnerability was fixed that could allow unauthorized users to update certain group settings. Discovered by wxy7174.A privilege escalation vulnerability was fixed that could allow unauthorized users to view…

Source: WordPress

Related Post
WPTavern: WPTracSearch: An Elasticsearch-Powered Search Interface for WordPress Trac Tickets

WPTavern: WPTracSearch: An Elasticsearch-Powered Search Interface for WordPress Trac Tickets WordPress Trac is one of the more utilitarian and uninspiring interfaces that many contributors have to contend with in the process of giving back to the project. After growing tired of Trac’s mediocre search functionality, William Earnhardt set out to improve it with a new […]

Read more
WPTavern: Tips for Replying to A Call for Papers or A Call for Speakers

WPTavern: Tips for Replying to A Call for Papers or A Call for Speakers The following is a guest post written by Jennifer Bourn. With 21 years experience as a graphic designer, 15 years experience as a web designer, 14 years as a creative agency owner, and 11 years as a blogger, Jennifer Bourn has […]

Read more
WPTavern: Storefront 2.5.0 Introduces a Custom, Block-Based Homepage

WPTavern: Storefront 2.5.0 Introduces a Custom, Block-Based Homepage Storefront, WooCommerce’s free flagship theme, has just released version 2.5.0 with updates that make it easier to setup and customize the homepage. In 2017, WooCommerce 2.2 introduced starter content to help users set up the homepage template, menus, widgets, and add some demo products. This content has […]

Read more