With the introduction of 2.5.11 and the stronger password hashing, I missed one important detail in our code, that sends user passwords to PHP's error log when passwords get updated and error reporting is activated. This is a bug that should never have happened and I take full responsibility for missing it. I apologize to all of you for the extra work to upgrade Kirby.
PHP error logs should only be accessible to you in a secure server environment and there's no direct link between the password and the user. It's still a security issue. We learned about it yesterday evening, instantly patched all 2.5.11 downloads and prepared today's release. We recommend to all our users to upgrade to 2.5.12 immediately and to delete all your error logs.
There are no further changes in this release.
Thank you for your support!