BuddyPress 2.8.2 update has just been made available for download.
This is a security release and we strongly encourage all BuddyPress sites to upgrade as soon as possible.
BuddyPress 2.8.1 and earlier versions were affected by the following three security issues:
- Cross-site request forgery (CSRF) in the XProfile administration Dashboard panel.
- Cross-site request forgery (CSRF) in a number of user-facing AJAX endpoints.
- Cross-site request forgery (CSRF) when dismissing a pending email change.
These vulnerabilities were reported privately by Ronnie Skansing.
Ronnie responsibly and privately disclosed to the WordPress core development team, the found security problem before publicising, so a fix could be prepared, and damage from the vulnerability minimized.
Any themes implementing BuddyPress templates should update its files which include buddypress.js and buddypress-functions.php