bbPress 2.5.10 is out, and is a security release for all previous 2.x versions.
bbPress versions 2.5.10 includes additional escaping on user display names in places where names & avatars are commonly displayed together.
These changes are internal to bbPress and do not affect any third-party themes or modifications to bbPress template parts. If you are using a third-party theme or template parts, you will inherit these fixes automatically.
Check the 2.5 milestone for a comprehensive changelog of fixes.
Take a moment to update your bbPress installations to 2.5.10. If you’re using WordPress’s built-in updater, it should only take a click or two.
These fixes have also been ported over to 2.6, which we continue to run here at bbPress.org and BuddyPress.org.