BuddyPress 12.4.1 is now available. This is a security release. All BuddyPress installations should be updated as soon as possible.
The 12.4.1 release addresses the following security issue:
The dynamic Members, dynamic Friends & dynamic Groups blocks were vulnerable to a Stored Cross-Site Scripting. Discovered by Wesley (wcraft) from the Wordfence organization.
This vulnerability was impacting BuddyPress branches from 9.0 to 12.0. It was reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.
If for a specific reason you can’t upgrade to 12.4.1, we have also ported the security fix to BuddyPress versions going all the way back to branch 9.0. Here’s the list of the available downloads for the corresponding tags, you can also find these links on our WordPress.org Plugin Directory “Advanced” page:
If you are using BP 9.x and can’t upgrade to 12.4.1, please upgrade to 9.2.3
If you are using BP 10.x and can’t upgrade to 12.4.1, please upgrade to 10.6.3
If you are using BP 11.x and can’t upgrade to 12.4.1, please upgrade to 11.4.1
Immediately available is BuddyPress 12.4.0. This maintenance release fixes 4 bugs, mainly to improve the BP Rewrites API we introduced in 12.0.0. We also exceptionally decided to remove the repair tool about the Members last activity in this minor release (we usually do this kind of changes in major releases).
Immediately available is BuddyPress 12.3.0. This maintenance release fixes 7 bugs. The most serious one was happening when a community member requested an email address change from her/his front-end profile: the link to verify the request validity was not generated the right way. This bug is only concerning versions 12.0.0 to 12.2.0. It was reported 12 hours ago and we decided to quickly build this maintenance release to fix it as soon as possible.
Please note BP Classic 1.4.0 is now available for upgrade/download. 1.4.0 is a maintenance release of the BuddyPress backwards compatibility Add-on helping you to stay classic so that you can carry on:
enjoying 3rd party BP plugins / themes that are not ready yet for the modern BuddyPress (12.0.0 & up);
and / or using the deprecated BuddyPress Legacy widgets;
and / or using the deprecated BP Default theme.
Only 1 issue has been fixed: the bbPress topics/replies pagination should now behave as expected with BuddyPress 12.0 & up (See #44)
Please note BP Classic 1.3.0 is now available for upgrade/download. 1.3.0 is a maintenance release of the BuddyPress backwards compatibility Add-on helping you to stay classic so that you can carry on:
enjoying 3rd party BP plugins / themes that are not ready yet for the modern BuddyPress (12.0.0 & up);
and / or using the deprecated BuddyPress Legacy widgets;
and / or using the deprecated BP Default theme.
What about 1.3.0 changes?
4 issues have been fixed:
Switch to BP root blog when migrating directories if necessary (See #33).
Make sure BP Tooltips are used in Legacy widgets (See #35 & #39).
Immediately available is BuddyPress 12.2.0. This maintenance release fixes four bugs. One of them was pretty annoying for users first activating BuddyPress with version 12.1.1. In this particular case, the 12.0 deprecated code wasn’t loaded which could cause nasty errors with 3rd party BP plugins / themes not ready yet for the modern BuddyPress (12.0.0 & up). That’s the reason why we’ve been working hard and as fast as possible to quickly wipe this bug.
BuddyPress 12.1.1 is now available. This is a security and maintenance release. Please update your BuddyPress as soon as possible.
The 12.1.1 release addresses the following minor security issue:
Using the Cover Image group’s REST API Endpoints, it was possible to a non member of private/hidden group to get the corresponding group Cover Image URL. Discovered by Colin Xu.
This vulnerability was reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.
BuddyPress 12.1.1 also fixes 10 bugs. For complete details, visit the 12.1.1 changelog.
We’re very excited to announce the immediate availability of BuddyPress 12.0.0 “Nonno”, named after the excellent pizza restaurant located in the 15th arrondissement of Paris, France. Get it now from the WordPress.org plugin repository, or right from your WordPress Dashboard.
It took the BuddyPress Team almost a year to finish baking the 100 changes to perfection, write the user & developer documentation resources and build the backward compatibility Add-on that make up our second major release of 2023.
One of these changes is probably the largest shift we have made since BuddyPress was born 15 years ago.
Our new BP Rewrites API solves a 10-year-old issue and allows BuddyPress to comply with the WordPress way of generating rules to analyze requested URLs and route the visitor to the right site content: the WP Rewrite API. Though we have tried to minimize the changes required for BuddyPress plugins and themes to preserve backward compatibility, the following two constraints couldn’t be worked around:
WordPress fully analyzes a URL later in the load process than our BP Legacy URL parser
Supporting plain permalinks & customizable slugs required us to completely rethink the way we build BuddyPress URLs
Because of these insurmountable limitations, we chose to build the BP Classic Add-on to extend backward compatibility until all of the plugins you use on your site have been updated to use the new system. If you are using one or more third party BuddyPress plugins that have not been updated for the last 4 months or if you are still using the BP Default theme (which was deprecated 10 years ago), we strongly advise you to download and activate BP Classic before upgrading to 12.0.0.
The first step for a Modern BuddyPress
The BP Rewrites API is a massive revolution opening the way for a progressive BuddyPress evolution. Based on 10 years of experience gained through hard work, we are beginning to reimagine what it means to organize and manage communities within WordPress. Here are the immediate benefits of this new API:
You can customize each piece of any URL generated by BuddyPress to better reflect your unique community using the new URLs settings screen.
Pretty or plain, BuddyPress just works no matter which option you choose for your permalink settings.
Routing BuddyPress URLs is faster, more reliable, extensible, testable and fully compliant with WordPress best practices.
A new “members only” community visibility level
We’ve heard from BuddyPress end-users that being able to easily restrict access to their community is a necessary feature. And, thanks to the BP Rewrites API, we are now able to make this possible. With this first iteration, a site admin can now choose whether the community is fully public or is only accessible to logged-in members. In future versions, we hope to add granularity to this choice, so that community administrators can choose to highlight their members but share activities only inside the community’s “gates,” for example.
BP Nouveau is ready for Twenty Twenty-Four
The BP Nouveau template pack has been improved to better support Block Themes in general and Twenty Twenty-Four in particular. As shown in the above screen capture, our default template pack now includes a new Priority Navigation feature.
Receiving your feedback and suggestions for future versions of BuddyPress genuinely motivates and encourages our contributors. Please share it 🙏
Thanks a lot for using BuddyPress 😍
Let’s celebrate “Nonno”
Just like BuddyPress, “Nonno” (which means grandfather) has been around for 15 years, its team is very welcoming, caring and friendly; each of its members is committed to offering the best service and delivering the best tasting pizzas of the highest quality to customers. It’s the perfect place to entertain and have good times with your friends, family, or coworkers.
This version of the BuddyPress software is a development version. Please do not install, run, or test this version of BuddyPress on production or mission-critical websites. Instead, it’s recommended that you evaluate 12.0.0-RC1 on a test server and site.
Reaching this phase of the release cycle is an important milestone. While release candidates are considered ready for release, testing remains vital to ensure that everything in BuddyPress 12.0.0 is the best it can be.
We made three new improvements to the BP Nouveau template pack:
Member and Group loop entries are now more consistent (see #9025)
A group’s excerpt in a loop is now “really” truncating the Group’s description when it exceeds 225 characters (see #9024).
We have made the member’s cover header action buttons behave more consistently (see #9023)
We also added other improvements to this template pack to welcome the Twenty Twenty-Four WordPress theme, including a new Priority Navigation feature (See #9030).
12.0.0 Highlights
The BP Rewrites API (a massive change!)
Site Administrators now have a full control over all BuddyPress-generated URLs. They can choose slugs (portions of URLs) that reflect their community, using localized language or special terms that are more meaningful to their members. All also means that URLs generated by third-party BuddyPress Add-ons using the BP Rewrites API will be editable.
BuddyPress is fully compatible with plain URL permalinks.
Parsing BuddyPress URLs is faster, more reliable, extensible, testable and fully compliant with WordPress best practices.
Please note that if some of your BP plugins are not ready yet for this new API we have you covered thanks to this backwards compatibility plugin.
A new community visibility level: Members only
Thanks to the BP Rewrites API, we were able to give site admins a choice as to whether their community should be fully public or only accessible by logged-in members. In future versions, we hope to add granularity to this choice, so that community administrators can choose to highlight their members but share activities only inside the community “gates” for example.
Ways to contribute
BuddyPress is open source software made possible by a community of people collaborating on and contributing to its development.
Get involved in testing
Testing for issues is critical to developing the software and ensuring its quality. It’s also a meaningful way for anyone to contribute—whether you have coding experience or not.
If you think you’ve found a bug, you can share it with us replying to this support topic or if you’re comfortable writing a reproducible bug report, file one on BuddyPress Trac.
NB: BuddyPress 12.0.0 is still under development (final release is scheduled to December 6). You can contribute to BP Classic to check it makes sure the third party plugins – not ready yet for the BP Rewrites API (to be introduced in 12.0.0) – you are using will behave as expected thanks to this backwards compatibility add-on. To do so simply test it & your BP plugins with the BP 12.0.0-beta4 pre-release and report issues adding a reply to this topic.
