bbPress 2.6.5 is a security release, and fixes 8 total issues reported either via Trac or HackerOne. For anyone running bbPress 2.6, please update to this version immediately.
Special thanks to the following folks for improving the security of bbPress:
- Raphael Karger for disclosing an unauthenticated privilege escalation when New User Registration is enabled
- hoangkien1020 for disclosing an authenticated privilege escalation via the Super Moderator feature
- Binit Ghimire for reporting the potential for a self-XSS via the Forums list-table
Also in this release are: various typographical fixes, a few PHP warnings & notices were eradicated, more accurate escaping of Search results, and support for some recently added WordPress Plugin headers.
This security release came together very quickly, with the help of several WordPress Core, Meta Team, and Security Team members. I appreciate all of your help today.
Another big shoutout to my employer, Sandhills Development, for allowing me the freedom to responsibly shirk my plans for today, enabling me to focus on getting this release out ASAP.