Version 7.2.1
Version 7.2.1 is a BuddyPress security release. It was released on March 16, 2021. 7 vulnerabilities were fixed.
For version 7.2.1, the database version (bp_db_version in wp_options) was 12385, and the Trac revision was 12865
Fixes
- A vulnerability was fixed that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API
buddypress/v1/members/meendpoint. - A vulnerability was fixed that could allow a member to force a friendship on behalf of another member, using the BuddyPress REST API
buddypress/v1/friendsendpoint. - A vulnerability was fixed that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API
buddypress/v1/messagesendpoint. - A vulnerability was fixed that could allow a member to invite another member to join a group without being friends when that group restricted invites to friends only, using BuddyPress Nouveau and the BuddyPress REST API
buddypress/v1/groups/invitesendpoint. - A vulnerability was fixed that could allow a user that has just been demoted from an Administrator role to a Subscriber to add/edit/delete BuddyPress Member Types from the Administration screens introduced in the 7.0.0 release.
- Improve all permission methods to use a WP_Error object as the default return value.
- Fix unintended behavior allowing any member to edit their own Member Type.
- Fix unintended behavior that allowed any logged in member to list the members of a private group.
