Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

In this Discussion

Vanilla 2.5.1 now available - security update

LincLinc Vanilla's Bard (and Director of Development)Detroit Vanilla Staff
edited February 12 in Releases

Vanilla 2.5.1 contains multiple security and bug fixes. Please upgrade immediately.

If you are upgrading from a release prior to 2.5, read the 2.5 notes first and follow those steps to upgrade.

This is a drop-in replacement for 2.5. Run utility/update twice after uploading.

Release notes follow. Please start a new discussion for assistance with problems upgrading.


  • Fix profile controller permission checks to block user content from guests.
  • Fix XSS issue in Flagging addon.

Additionally, we wish to belatedly thank psych0tr1a for reporting an XSS vulnerability in our HTMLawed implementation that was previously patched in the 2.5 release.


  • Fix category permission check when using the comments API endpoint (overly aggressive, not leaking data).
  • Fix .htaccess to work correctly with subdirectories.
  • Fix broken link text in posts when using "Warn When Leaving" security setting with Wysiwyg formatting.
  • Disable FloodControl checks when saving the activity notification queue to fix blocked notifications.
  • Fix analytics tick redirecting to sign-in when Private Community is enabled.
  • Fix missing Vanilla logo on install screen.


  • Add support for rel attribute to YouTube embeds.
  • Add profile extender fields into controller data for use by addons.
  • Add a note about MySQL strict mode to the README.
  • Update the dashboard version check to seek PHP 7.0.

We anticipate more security fixes in the coming months as we increase exposure of our security bounty program. Please keep a careful eye on your dashboard and this forum for more updates regularly.



  • Everything is fine except .htaccess still doesn't work on my server so I need to use the old one from previous version.

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$$1 [R=301,L]
Sign In or Register to comment.