XenForo 2.3.10 Released​

XenForo 2.3.10 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

In addition to the usual bug fixes, XenForo 2.3.10 includes a critical security fix involving a potential stored XSS vector in structured text mentions (mostly legacy profile post content). We'd like to extend thanks to metho for responsibly disclosing the issue.

If you are a XenForo Cloud customer running 2.3.8, the security fix has already been applied and no immediate action is required. XenForo 2.3.10 will be made available to you shortly.

XenForo 2.3.10 also includes a few new features which we called out in our latest Have you seen...? post here:

Phrase tools​

For more years than I've been at the company, we have had an internal tool which we use during development of features to help us keep on top of phrases. It scans the code base to detect strings in templates that might need to become phrases and also looks for certain delimited strings in PHP code that can also be converted to phrases.

In XenForo 2.3.10 we have (finally!) polished this up and converted them to CLI commands.

Some of the changes in XF 2.3.10 include:

• Ensure "View Older Results" link appears on last page of search results
• Ensure "No such recipient" bounce responses are classified as hard bounces
• Ensure "Account Closed" bounce responses are classified as hard bounces
• Ensure "Recipient not found" bounce responses are classified as hard bounces
• Ensure "mailbox is disabled" bounce responses are classified as hard bounces
• Ensure "not configured to receive" bounce responses are classified as hard bounces
• Prevent inet_pton() ValueError when IP address contains null bytes
• Use original Email object for error logging after DKIM signing to prevent undefined method error
• Skip array values during custom field multiselect validation to prevent Array to string conversion warning
• Normalize discouragement delay min/max values to prevent mt_rand() ValueError
• Suppress dns_get_record() warning during DKIM verification to prevent job crash on DNS failure
• Prevent alerts from being sent to banned users
• Correct OAuth2 token revocation to properly invalidate both access and refresh tokens
• Respect direction parameter for multi-column sort ordering in Finder
• Re-enable passkey button when WebAuthn registration or authentication is aborted
• Add missing bookmark_id index to xf_bookmark_label_use table
• Prevent accumulating whitespace in GenerateFinders CLI command on repeated runs
• Avoid exception-based flow control in getFinder for entity class resolution
• Set explicit working directory for sub-processes to prevent failure when CWD is inaccessible
• Prevent type error when custom field type changes with preserved values
• Include purchasable ID in Stripe product and plan ID generation
• Implement ContainableInterface and DatableInterface on various child content entities
• Create template when generating a route with xf-make:route

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Current requirements​

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

Installation and upgrade instructions​

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.