Version 12.7.0
Versions 11.6.0, 12.7.0, and 14.5.0 are all BuddyPress security releases. They were released on July 7, 2026. Two security fixes were introduced.
For Version 12.7.0, the database version (_bp_db_version in wp_options) was 13422, and the Trac revision was 14210.
Security fixes
- Improve security of messages endpoint.
In the REST API messages endpoint, sanitize the incominguser_idparameter value to avoid user spoofing.
Special thanks to trihedron who first reported this issue responsibly.
Props emaralive, jjj, espellcaste, trihedron, substitute99, j2k14a, g_r_i_n_n, pythonime, dizconnect (Sanjorn Keeratirungsan), eneednar19, bb-hunter (Mustafa Ahmed), yhalo (Yaohui Wang), Ngo Anh Duc, ekbreks, jeromewincek (Jerome Wincek), taylsec, ajaah-254, izumi_hyun, mickey_cyberkid (Michael Okyere), underdog_theori, duyytrann (Duy Tran), safe-us (Safe Us Team), miauuu, daupaul (Dau-Po Yu). - Components: Restrict updates to site admins.
Ensure that the current user has the `manage_options` capability before allowing them to change BuddyPress component status.
Special thanks to kasthelord (Lukas Collishaw) who first reported this issue responsibly.
Props emaralive, jjj, espellcaste, kasthelord (Lukas Collishaw), 1353594865qq, jeromewincek (Jerome Wincek), vvh1te3zz.
Other improvements
- BP Nouveau: Fix “caps lock is on” message on registration screen. WordPress 6.9 added the new message, and BuddyPress needs to update the CSS used with the form. See #9324.
- Fix ‘no-js’ body class logic for BuddyPress pages. This is a correction to 14175 which attempted to address a regression introduced at [13672], part of [13418]. See #9304.