Anyone using versions below 1.2.1 of bbPress Members Only is advised to update as soon as possible. Version 1.3.1 was made available on December 26th and tested up to WordPress 5.3.2. Administrators should always exercise caution when installing new WordPress plugins as they are often targeted due to ease of access to source code and the ability to test exploits against. If the plugin has not been updated in quite some time, chances are it is no longer in active development and should be avoided. If an in-house code review team is available (or paid external reviews are possible), plugins should be vetted before use on a WordPress site. Administrators of any web applications should be wary of email messages containing links to the site that they administer. Instead of ignoring or deleting these email messages, it can be helpful to share the email containing suspicious URLs with security professionals, because the URL may reveal a Cross-Site Request Forgery or Cross-Site Scripting vulnerability that an attacker has found and is trying to exploit.

Source: https://plugins.trac.wordpress.org/changeset/2217984, https://www.symantec.com/security-center/vulnerabilities/writeup/111305?om_rssid=sr-advisories