BuddyPress 2.3.3 has been released for download. This is a maintenance and security release for the 2.3 branch of code, and it is recommended BuddyPress installations are upgraded as soon as possible.
“BuddyPress Messages, while off by default, is a component that’s frequently enabled to allow members to communicate privately with each other. A vulnerability was responsibly disclosed to the BuddyPress team that could allow members to manipulate a failed private outbound message and inject unexpected output to the browser. This vulnerability was reported by Krzysztof Katowicz-Kowalewski. The BuddyPress team independently discovered and fixed related vulnerabilities with the messages component that could allow for carefully crafted private message content to be rendered incorrectly to the browser.
This release also includes fixes for several other bugs introduced in the 2.3 series, and improves support for administration changes made in WordPress 4.3.”