BuddyPress 9.1.1 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.
The 9.1.1 release addresses three security issues:
The activation key was included into the responses of the create_item method of BP REST API Signup controller. Discovered by Brajesh Singh.
An SQL Injection vulnerability was fixed in BP_Notifications_Notification::get_order_by_sql(). Discovered by David Cavins.
An SQL Injection vulnerability was fixed in BP_Invitation::get_order_by_sql(). Discovered by David Cavins.
These vulnerabilities were reported privately to the BuddyPress team, in accordance with WordPress’s security policies. Our thanks to the reporters for practicing coordinated disclosure.
BuddyPress 9.1.1 also fixes 3 bugs. For complete details, visit the 9.1.1 changelog.
If for a specific reason you can’t upgrade to 9.1.1, we also included the security fixes to our branches from 2.9 to 8.0. Here’s the list of the available downloads for the corresponding tags, you can also find on our WordPress.org Directory Advanced page:
If you are using BP 2.9.4 and can’t upgrade to 9.1.1, please upgrade to 2.9.5.1
If you are using BP 3.2.0 and can’t upgrade to 9.1.1, please upgrade to 3.2.1
If you are using BP 4.4.0 and can’t upgrade to 9.1.1, please upgrade to 4.4.1
If you are using BP 5.2.0 and can’t upgrade to 9.1.1, please upgrade to 5.2.1
If you are using BP 6.4.0 and can’t upgrade to 9.1.1, please upgrade to 6.4.2
If you are using BP 7.3.0 and can’t upgrade to 9.1.1, please upgrade to 7.3.2
If you are using BP 8.0.0 and can’t upgrade to 9.1.1, please upgrade to 8.0.2
9.0.0 is named after Mico’s Pizza in Sanary, a little town on the french riviera. The story of Mico starts in 1968 when Liliane and Jean-Louis bought a restaurant looking like a swiss chalet. “Mico” is the nickname customers gave to Liliane (Jean-Louis’s wife) because of the remarkable outfits and big colorful hats she used to wear. Their son Romuald, twelve years after following in his parents’ footsteps, continues the tradition and offers us a moment of happiness around a table that is always excellent, friendly and so uncommon, just like BuddyPress 9.0.0 🍕
You can get it clicking on the above button, downloading it from the WordPress.org plugin directory, installing or updating it directly from your WordPress dashboard or checking it out from our Subversion repository.
👉 If you’re upgrading from a previous version of BuddyPress, it’s always a good idea to back-up your WordPress database and files ahead of time.
You can review all of the changes in this 9.0.0 release in the release notes. Below are the key features we believe you are going to enjoy most!
It’s all about Widget Blocks!
WordPress 5.8 is right around the corner and debuts a brand new way to manage widgets: the Widget Block Editor. With BuddyPress 9.0.0, we have introduced 10 new BuddyPress Blocks, so you can continue to use your favorite BP Widgets with the new WP Block approach.
The new BP Widget Blocks are simply Legacy Widgets we’ve rebuilt as BP Blocks, which means you can also access them in the Block Editor for use in your posts or pages!
PS: Have you noticed that the icons for BuddyPress Blocks are now bright red?
Convert a Legacy Widget into a Block Widget in two clicks 😎
As shown in the image above, it’s very easy to transform a Widget into a Block. Your existing Widget settings will automagically be imported into your shiny, new BP Block.
NB: Creating a BP Block for each existing BP Legacy Widget marks the first step toward the progressive retirement of these tiny pieces of BuddyPress content.
The BP REST API: Improved endpoints and a new one!
This BuddyPress release was built in a short time frame to be ready for the release of WordPress 5.8.
While doing the work on BP Widget Blocks, we’ve also manipulated many of our REST API endpoints and took this opportunity to improve several of them. We’re also introducing a new Sitewide Notices endpoint to allow site admins to create, edit, or delete notices and let all of your users fetch the active notice.
Under the hood
9.0.0 comes with fewer changes than most of our releases but includes fixes for issues which appeared in 8.0.0 and BP Nouveau Template Pack improvements.
Many thanks to the 24 contributors who helped us build & translate BuddyPress 9.0.0
How are you using BuddyPress? Receiving your feedback and suggestions for future versions of BuddyPress genuinely motivates and encourages our contributors. Please share your feedback about this version of BuddyPress on our website.
Important note: this BuddyPress release was built in a short time frame (we even skipped the beta release) to be ready for the release of WordPress 5.8. Our team’s primary goal for 9.0.0 was to migrate the BP Legacy Widgets to new BP Widget Blocks. You don’t necessarily need the latest WordPress 5.8 pre-release to test the BuddyPress 9.0.0 Release Candidate, but we’d be happy if you could use both pre-release versions to have your feedback about your experience with managing the BP Widget Blocks within the Widget Block Editor.
“Release Candidate” means that we believe the new version is ready for release, but with more than 200,000 active installs, hundreds of BuddyPress plugins and Thousands of WordPress themes, it’s possible something was missed. BuddyPress 9.0.0 is slated for release on July 19, 2021, but your help is needed to get there 🙏.
You can test the 9.0.0-RC1 pre-release in 4 ways :
The 10 BuddyPress legacy widgets will have their corresponding BP Blocks so that you can fully enjoy them within the next Widget Block editor and of course inside your Post/Page Block Editor.
The BP Block collection is going to be tripled from 5 to 15 Blocks 🙌
How you can help
This is really important: this release also marks the string freeze point of the 9.0.0 release schedule. And we have less than 4 days to update BuddyPress translation.
PS: If you think you’ve found a bug, you can share it with us replying to this support topic or if you’re comfortable writing a reproducible bug report, file one on BuddyPress Trac.
“Alfano” is our first major release of 2021. It is named after Alfano’s Pizza in Rock Island, Illinois, a family-run pizzeria that’s been around since the 1970s. They know how to keep it simple: there’s nothing on the menu but mouth-watering pizzas and calzones featuring their own made-from-scratch sauce and crust. For the true Alfano’s experience, order a stuffed pizza and dine in with as many friends as you can bring. The massive, two-crust pizza will be brought to the table piping hot, and there will be plenty for everyone!
👉 If you’re upgrading from a previous version of BuddyPress, it’s always a good idea to back-up your WordPress database and files ahead of time.
You can review all of the changes in this 8.0.0 release in the release notes. Below are the key features we believe you are going to enjoy most!
Your current members are the best way to recruit fantastic new members for your community.
Whether public registration is enabled or not, you can activate this great new opt-in feature from your site’s BuddyPress settings; with it, your trusted members will handpick new members who will enrich your community.
Once activated, each member will be able to send new Member Invitation emails and manage the pending invitations directly from his or her profile area.
You keep control of everything thanks to two new screens we added to the BuddyPress Tools dashboard: invitations and opt-outs management.
First, you can select any xProfile field from any xProfile field group to use on your site’s registration form. Second, if your site requires that users accept specific rules such as terms of service or a code of conduct, you can now take advantage of the new Checkbox Acceptance xProfile Field type to record their agreement.
Third, once a user activates his or her account, BuddyPress will send a welcome email to help get him or her engaged with your community. You can customize the content of this email from the Emails menu of your WordPress dashboard. Have a look to this developer note to find out more about it.
WP xProfile field types.
The WP Biography field type lets you include the user’s Biographical Info and thanks to the WP Textbox field you can include the first & last name, the Website URL as well as any of the custom contact methods of your users.
8.0.0 includes more than 45 changes to improve the Activity component, the BP Nouveau Template pack, the BP REST API and many more components and features.
Many thanks to the 47 contributors who helped us build & translate BuddyPress 8.0.0
Receiving your feedback and suggestions for future versions of BuddyPress genuinely motivates and encourages our contributors. Please share your feedback about this version of BuddyPress in the comments area of this post. And of course, if you’ve found a bug: please tell us about it into our Support forums.
“Release Candidate” means that we think the new version is ready for release, but with more than 200,000 active installs, hundreds of BuddyPress plugins and Thousands of WordPress themes, it’s possible something was missed. BuddyPress 8.0.0 is slated for release on June 7, 2021, but your help is needed to get there — if you haven’t tried 8.0.0 yet, doing it now is a great idea!
A detailed changelog will be part of our official release note, but you can get a quick overview by reading the post about the 8.0.0 Beta1 release.
Plugin and Theme Developers
Please test your plugins and themes against BuddyPress 8.0.0. If you find compatibility problems, please be sure to post to this specific support topic so we can figure those out before the final release. We strongly advise you to have a look at the 8.0.0 developer notes to figure out what to focus on during your testing.
If you think you’ve found a bug, you can share it with us replying to this support topic or if you’re comfortable writing a reproducible bug report, file one on BuddyPress Trac.
If you haven’t tested our first 8.0.0 beta release, here’s another opportunity to help us give the final touches to our next major release so that we make sure it will fit perfectly into your WordPress / BuddyPress specific configuration. Beta testing is very important and we need you all, whether you’re a regular or advanced user, a theme designer or a plugin author: please contribute!
First we applied to ourselves the advice we just gave you into the first paragraph of this post: we’ve tested BuddyPress on WordPress 5.8-alpha and on latest stable WordPress & Gutenberg’s plugin. Our goal was to check the very promising Widgets Block Editor that is announced to be part of the WordPress 5.8 release. This helped us anticipate some deprecation notices and prevent an issue to happen into the new Widgets Block Editor Administration screen. If you were worried about losing your favorite BuddyPress widgets once WordPress 5.8 is released: be reassured, we can tell you there’s a back-compatibility mechanism into the Widgets Block feature making sure legacy widgets can still be managed from the new Widgets Block Editor Administration screen. If you’re wondering if we have a plan about migrating these widgets as blocks, we confirm we do and we actually started building these next BP Blocks!
We also tested the Full Site Editing feature. For now, there’s a breaking change preventing our BP Theme Compat API to behave as expected but we’re on it and we’ll make sure BuddyPress is Full Site Editing ready before this feature is merged into WordPress core.
The current target for final release is June 2, 2021. That’s just five weeks away, so your help is vital to making sure that the final release is as good as it can be.
Please note BuddyPress 8.0.0 will require at least WordPress 4.9.
We repeat it each time we announce a beta release : testing for bugs is VERRRY important. Please make sure to test this pre-release using a testing configuration which is very close to the one you are using in production. If you find something unusual (aside from the great new features below), please report it on BuddyPress Trac or post a reply to this support topic.
Here are the three hottest 8.0.0 features to pay close attention to while testing (Check out this report on Trac for the full list).
👫 BP Members Invitations
Whether you allow open registration or not you can use this opt-in feature to let your community grow itself. Once enabled from the BuddyPress Options Administration screen, your members will be able to invite their network of friends, co-workers, students, developers, well possibly anyone, to join your site 📈.
✍️ Selectable xProfile sign-up fields
Until now, only the Primary group of xProfile fields was displayed on the registration form of your community. 8.0.0 gives you the freedom to choose any field from any field group to add to your site’s registration form 💫.
Include WordPress user fields in your BuddyPress member profiles
8.0.0 introduces 2 new xProfile Field types. The WP Textbox can be used to include the user’s first name, last name, Website link or any potential WP contact methods. With the WP Biography field you can display the Biographical Info in the group of xProfile fields of your choice 🙌 .
BuddyPress 7.3.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.
The 7.3.0 release addresses four security issues:
A vulnerability was fixed that could allow a member to create a group on behalf of another member via a REST API endpoint.
A vulnerability was fixed that could allow members to favorite any private/hidden activities they shouldn’t access to via a REST API endpoint.
A vulnerability was fixed that could allow the creator of a group to still be able to update or delete it after being demoted as a regular member of it via a REST API endpoint.
A vulnerability was fixed that could allow group’s banned members to remove themselves from the group and still be able to join it or request a membership to it via a REST API endpoint.
These vulnerabilities were reported privately to the BuddyPress team by Kien Hoang, in accordance with WordPress’s security policies. Our thanks to the reporter for practicing coordinated disclosure.
Version 7.3.0 also fixes a bug about our WP CLI Scaffold command.
BuddyPress 7.2.1 is now available. This is a security release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible.
The 7.2.1 release addresses 5 security issues which were reported privately to the BuddyPress team by Kien Hoang, in accordance with WordPress’s security policies:
A vulnerability was fixed that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint.
A vulnerability was fixed that could allow a member to force a friendship on behalf of another member, using the BuddyPress REST API buddypress/v1/friends endpoint.
A vulnerability was fixed that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API buddypress/v1/messages endpoint.
A vulnerability was fixed that could allow a member to invite another member to join a group without being friends when that group restricted invites to friends only, using BuddyPress Nouveau and the BuddyPress REST API buddypress/v1/groups/invites endpoint.
A vulnerability was fixed that could allow a user that has just been demoted from an Administrator role to a Subscriber to add/edit/delete BuddyPress Member Types from the Administration screens introduced in the 7.0.0 release.
The BuddyPress Team also conducted a comprehensive security audit on all BuddyPress REST API endpoints, which led to:
Improving all permission methods to use a WP_Error object as the default return value.
Fixing unintended behavior allowing any member to edit their own Member Type.
Fixing unintended behavior that allowed any logged in member to list the members of a private group.
Immediately available is BuddyPress 7.2.0. This maintenance release fixes six bugs mainly related to issues when the BP Nouveau Template Pack is used with the Twenty Twenty-One WordPress theme. For details on the changes, please read the 7.2.0 release notes.
