Does ActivityPub have any unpatched vulnerabilities?

No. All known vulnerabilities in ActivityPub have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ActivityPub compatible with WordPress 6.9.4?

According to WordPress.org data, ActivityPub 8.0.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is ActivityPub compatible with PHP 7.4+?

ActivityPub requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is ActivityPub updated?

ActivityPub was last updated on Mar 11, 2026. Frequent updates are generally a positive security signal.

What is ActivityPub's security score?

ActivityPub has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ActivityPub Security & Risk Analysis

wordpress.org/plugins/activitypub

Connect your site to the Open Social Web and let millions of users follow, share, and interact with your content from Mastodon, Pixelfed, and more.

6K active installs v8.0.1 PHP 7.4+ WP 6.5+ Updated Mar 11, 2026

activitypubactivitystreamfediverseindiewebsocial-web

A · Safe

CVEs total5

Unpatched0

Last CVEJan 5, 2024

Plugin page Download

Safety Verdict

Is ActivityPub Safe to Use in 2026?

Generally Safe

Score 99/100

ActivityPub has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 5, 2024Updated 23d ago

Risk Assessment

The ActivityPub plugin v8.0.1 presents a mixed security posture. On the positive side, static analysis reveals a small attack surface with no unprotected entry points, a high percentage of SQL queries using prepared statements, and a good number of capability checks. However, there are areas of concern. The taint analysis shows one flow with unsanitized paths, which, while not flagged as critical or high severity, warrants attention as it could potentially lead to vulnerabilities if not properly handled. Additionally, the plugin has a history of five known medium-severity vulnerabilities, with common types including Missing Authorization and Cross-site Scripting. While there are currently no unpatched CVEs, this pattern of past vulnerabilities suggests a need for ongoing vigilance and robust security practices during development and updates.

Key Concerns

Taint flow with unsanitized path
Past medium severity CVEs (5 total)
Output escaping is not fully proper (66% escaped)

Vulnerabilities

ActivityPub Security Vulnerabilities

CVEs by Year

4 CVEs in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2023-52199medium · 5.3Missing Authorization

ActivityPub <= 1.0.5 - Missing Authorization

Jan 5, 2024 Patched in 1.0.6 (18d)

CVE-2023-3746medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ActivityPub <= 0.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Content

Sep 25, 2023 Patched in 1.0.0 (120d)

CVE-2023-5057medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ActivityPub <= 0.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via User Metadata

Sep 25, 2023 Patched in 1.0.0 (120d)

CVE-2023-3707medium · 6.5Authorization Bypass Through User-Controlled Key

ActivityPub <= 0.17.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Sensitive Post Content Exposure

Sep 25, 2023 Patched in 1.0.0 (120d)

CVE-2023-3706medium · 4.3Authorization Bypass Through User-Controlled Key

ActivityPub <= 0.17.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Sensitive Post Title Exposure

Sep 25, 2023 Patched in 1.0.0 (120d)

Code Analysis

Analyzed Mar 16, 2026

ActivityPub Code Analysis

Dangerous Functions

Raw SQL Queries

59 prepared

Unescaped Output

185

353 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

95% prepared62 total queries

Output Escaping

66% escaped538 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths

greet (includes\wp-admin\import\class-starter-kit.php:543)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

ActivityPub Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[ap_content] includes\class-shortcodes.php:197

WordPress Hooks 5

actioninitincludes\class-migration.php:163

actioninitincludes\class-migration.php:169

actionwp_headincludes\class-router.php:169

actionload-settings_page_activitypubincludes\wp-admin\class-settings-fields.php:23

filteractivitypub_transformerintegration\load.php:140

Scheduled Events 1

importer_scheduled_cleanup

Maintenance & Trust

ActivityPub Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version7.4

Downloads495K

Community Trust

Rating98/100

Number of ratings39

Active installs6K

Alternatives

ActivityPub Alternatives

NodeInfo(2)

nodeinfo

100

NodeInfo and NodeInfo2 for WordPress!

1K No CVEs

Enable Mastodon Apps

enable-mastodon-apps

100

Allow accessing your WordPress with Mastodon clients. Just enter your own blog URL as your instance.

600 No CVEs

Event Bridge for ActivityPub

event-bridge-for-activitypub

100

Integrating popular event plugins with the ActivityPub plugin.

70 No CVEs

Pterotype

pterotype

Pterotype expands your audience by giving your blog an ActivityPub stream, making it a part of the Fediverse.

10 No CVEs

FediBoost

fediboost

100

Automatically boost WordPress posts on connected Mastodon accounts when published via ActivityPub.

0 No CVEs

Developer Profile

ActivityPub Developer Profile

Automattic

213 plugins · 19.2M total installs

trust score

Avg Security Score

92/100

Avg Patch Time

1384 days

View full developer profile

Detection Fingerprints

How We Detect ActivityPub

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/activitypub/build/blocks.js/wp-content/plugins/activitypub/build/editor.js/wp-content/plugins/activitypub/build/index.js/wp-content/plugins/activitypub/build/render.js/wp-content/plugins/activitypub/build/style.css

Script Paths

/wp-content/plugins/activitypub/build/blocks.js/wp-content/plugins/activitypub/build/editor.js/wp-content/plugins/activitypub/build/index.js/wp-content/plugins/activitypub/build/render.js

Version Parameters

activitypub/build/blocks.js?ver=activitypub/build/editor.js?ver=activitypub/build/index.js?ver=activitypub/build/render.js?ver=activitypub/build/style.css?ver=

HTML / DOM Fingerprints

CSS Classes

activitypub-post-embed

Data Attributes

data-activitypub-url

JS Globals

window.activitypub

REST Endpoints

/wp-json/activitypub/1.0/collections/wp-json/activitypub/1.0/post/wp-json/activitypub/1.0/users/wp-json/activitypub/1.0/webfinger

FAQ

ActivityPub Security & Risk Analysis

Is ActivityPub Safe to Use in 2026?

Generally Safe

Key Concerns

ActivityPub Security Vulnerabilities

CVEs by Year

Severity Breakdown

ActivityPub Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

ActivityPub Attack Surface

Shortcodes 1

Scheduled Events 1

ActivityPub Maintenance & Trust

Maintenance Signals

Community Trust

ActivityPub Alternatives

NodeInfo(2)

Enable Mastodon Apps

Event Bridge for ActivityPub

Pterotype

FediBoost

ActivityPub Developer Profile

How We Detect ActivityPub

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about ActivityPub