Version 14.5.0
Versions 11.6.0, 12.7.0, and 14.5.0 are all BuddyPress security releases. They were released on July 7, 2026. Two security fixes were addressed in each version. 14.5.0 also includes many code improvements.
For Version 14.5.0, the database version (_bp_db_version in wp_options) was 13422, and the Trac revision was 14208.
Security fixes
- Improve security of messages endpoint.
In the REST API messages endpoint, sanitize the incominguser_idparameter value to avoid user spoofing.
Special thanks to trihedron who first reported this issue responsibly.
Props emaralive, jjj, espellcaste, trihedron, substitute99, j2k14a, g_r_i_n_n, pythonime, dizconnect (Sanjorn Keeratirungsan), eneednar19, bb-hunter (Mustafa Ahmed), yhalo (Yaohui Wang), Ngo Anh Duc, ekbreks, jeromewincek (Jerome Wincek), taylsec, ajaah-254, izumi_hyun, mickey_cyberkid (Michael Okyere), underdog_theori, duyytrann (Duy Tran), safe-us (Safe Us Team), miauuu, daupaul (Dau-Po Yu). - Components: Restrict updates to site admins.
Ensure that the current user has the `manage_options` capability before allowing them to change BuddyPress component status.
Special thanks to kasthelord (Lukas Collishaw) who first reported this issue responsibly.
Props emaralive, jjj, espellcaste, kasthelord (Lukas Collishaw), 1353594865qq, jeromewincek (Jerome Wincek), vvh1te3zz.
Other improvements
- BP Nouveau: Fix “caps lock is on” message on registration screen. WordPress 6.9 added the new message, and BuddyPress needs to update the CSS used with the form. See #9324.
- Fix ‘no-js’ body class logic for BuddyPress pages. This is a correction to 14175 which attempted to address a regression introduced at [13672], part of [13418]. See #9304.
- Tools: point BP-REST to
pre-bp15instead ofmaster. - Tools: ignore
vendorandcomposer.lock. - Address a WPCS error for the new
bp_get_blog_latest_post_idfunction. See #9286, #9174, and #9173. - Bump “Tested up to” in the readme.txt to 6.9. See #9309.
- Load block styles on demand in classic themes. WordPress 6.9 introduced the
wp_before_include_templatehook as part oftemplate-loader.phptemplate to enable output buffering for block style hoisting. Since BuddyPress bypassestemplate-loader.phpwhen loading templates, we need to integrate this optimization, by hooking it directly. Developed in https://github.com/buddypress/buddypress/pull/430. See #9309. - Stop (root blog) BuddyPress directories from showing in the WP Dropdown
- Administration: Remove deprecated
unloadevent handlers withpagehide. For a deeper understanding about this change, refer to https://core.trac.wordpress.org/ticket/55491. See #9299. - When the
Extended Profilescomponent is disabled, the “Profile Visibility” settings link should not 404. The “Profile Visibility” link,members/user/settings/profile/, relies on the Extended Profiles component to work properly. When this component is disabled, the link should not added to the user profile settings menu. We also did the same for theEmaillink. So that it is added only when theNotificationscomponent is enabled. See #9297. - Check if the Group Types taxonomy exists before adding its menu. Before adding a menu item for the Group Types taxonomy, confirm the taxonomy exists (if it was not disabled). See #9293.
- Deprecate the current CSS class for the group item since it is too generic. We also introduce a prefixed
bp-group-status-{status}class (e.g.,bp-group-status-hidden) while keeping the old non-prefixed class for backwards compatibility. The old, non-prefixed, class will be properly removed in the next release (see #9316). See #9308. - Avoid an error attempting to convert a
WP_Errorobject to astringwhen checking for profile data existence. While checking if a profile data exist, let us improve our error handling to avoid a PHP error trying to convert aWP_Errorobject to astring. The reason why we might get aWP_Errorobject is varied, but it implies the data does not exist, and we should fail gracefully rather than throw an error. See #9290. - Incorrect sorting of friendships in the user profile.
data-bp-list="members"in the friends template causes JavaScript to usebp-memberssession storage key instead ofbp-friends, so filter changes did not persist correctly. See #9268. - Fix an issue where hidden columns (using the Screen Options tab) were not being “enforced” in the Groups List Table. Fixes #9244.
bp_get_blog_latest_post()make use of thethe_titlefilter hook but only one param is provided. We are introducing two new getters for the latest post ID.bp_get_blog_latest_post_idandbp_blog_latest_post_id. Developed in https://github.com/buddypress/buddypress/pull/411. See #9286 (14.0).- BP Nouveau: Introduce a new hook before/after an Activity Stream (Single Item). New
entry_contenthooks were introduced before/after an Activity Stream. The hook name followed the pattern in the template, e.g.entry_comments. Developed in https://github.com/buddypress/buddypress/pull/410. See #9287. - Fix typo in the BuddyPress Membership Invitations header comment. See #9173, #9242.
- Core: improve PHP8 compatibility by only calling
closedir()on properopendir()resources. The intent of this change is to avoidclosedir()producing warnings & errors whenopendir()had previously returned false. It also adds a missingclosedir()call to thebp_attachments_cover_image_generate_file()function. Fixes #9307. - Replace
esc_url()withesc_url_raw()for almost all avatar URLs returned in AJAX/JSON responses. This change addresses an issue where a site modifies the url returned bybp_core_fetch_avatar, and those URLs are returned as image src attributes. In the process of escaping the url,esc_urlconverts those attributes becoming malformed.esc_url_raw()sanitizes the url without HTML entity encoding, which is correct for non-HTML contexts. Since BuddyPress DOES NOT return the image src attributes by default as part of the url, this change should have no impact to regular users. Unless the site is purposefully changing them (the use case here is an image CDN that returns the image [on demand] using the src attributes as image params in the avatar url). See https://github.com/buddypress/buddypress/pull/427 See #9312. - Add pre-filter hook for avatar history. Add
bp_pre_avatar_get_avatars_historyfilter to allow short-circuiting avatar history retrieval. Fix typo@parmato@paraminbp_core_avatar_handle_uploaddocblock. See #9311. - Code Modernization: address the only, so far, two issues related to PHP 8.5. Fixes #9313.
seems_utf8is deprecated in WordPress 6.9, let us use its replacement,wp_is_valid_utf8, instead. Instances whereseems_utf8was used were updated to usewp_is_valid_utf8instead, if available (WordPress 6.9). See #9309.- The function
is_home()returnsfalseon BuddyPress pages. This change addresses an issue whereis_homereturnedtrueon BuddyPress pages (except if a BuddyPress component was set as the front page). Fixes #9300. - Restore the the Activity feed atom link. This resolves a regression introduced at [13816], where the
self_linkno longer was - echoing the link from the atom feed. Since
self_linkalready echoes the link, we do not need to runesc_urlagain. Fixes #9298.
Contributors
Thanks for all of the help with this release! Contributors include emaralive, vapvarun, westonruter, joelkarunungan, nikunj8866, shawfactor, r-a-y, t.schwarz, dcavins, noruzzaman, rollybueno, potcus, pratiklondhe, yatesa01, bhargavbhandari90, amitraj2203, GaryJ., espellcaste, needle, and johnjamesjacoby.