WP-Safety

BadgeOS Invite Codes Add-on Security & Risk Analysis

wordpress.org/plugins/badgeos-invite-codes-add-on

Enhances sites running BuddyPress and BadgeOS by joining users to one or more specified groups when they use a special Invite Code to join your site.

10 active installs v1.1.3 PHP + WP 4.0+ Updated Feb 28, 2022
badgebadgescredlyobiopenbadges
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is BadgeOS Invite Codes Add-on Safe to Use in 2026?

Generally Safe

Score 85/100

BadgeOS Invite Codes Add-on has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The plugin "badgeos-invite-codes-add-on" v1.1.3 exhibits a mixed security posture. On the positive side, it avoids dangerous functions, uses prepared statements for all SQL queries, and has no recorded vulnerability history, suggesting a generally careful development approach and a lack of known exploits. The absence of file operations and external HTTP requests further reduces common attack vectors.

However, significant concerns arise from the static analysis. The plugin exposes two AJAX handlers without any authentication checks, creating a direct entry point for potential attackers. Furthermore, the taint analysis reveals two high-severity flows with unsanitized paths, indicating that user-supplied data could be processed in a way that leads to vulnerabilities, even if specific critical issues were not identified in this analysis. The low percentage of properly escaped output (36%) also points to a risk of Cross-Site Scripting (XSS) vulnerabilities.

While the clean vulnerability history is a strong positive, the presence of unprotected AJAX endpoints and high-severity taint flows represents immediate and actionable risks. The plugin's strengths lie in its avoidance of direct SQL injection and risky functions, but its weaknesses in input validation and access control for its AJAX endpoints need to be addressed to improve its overall security.

Key Concerns

  • AJAX handlers without auth checks
  • High severity taint flows with unsanitized paths
  • Low percentage of properly escaped output
  • Missing capability checks on entry points
Vulnerabilities
None known

BadgeOS Invite Codes Add-on Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

BadgeOS Invite Codes Add-on Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
16
9 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

36% escaped25 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

5 flows3 with unsanitized paths
bp_invite_codes_bp_after_signup_profile_fields (includes\functions.php:53)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

BadgeOS Invite Codes Add-on Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_bp_invite_codes_bp_get_group_join_buttonincludes\functions.php:654
noprivwp_ajax_bp_invite_codes_bp_get_group_join_buttonincludes\functions.php:655
WordPress Hooks 25
actionadmin_noticesbuddypress-invite-codes.php:55
actionbp_includebuddypress-invite-codes.php:57
actionwp_enqueue_scriptsbuddypress-invite-codes.php:60
actionadmin_enqueue_scriptsbuddypress-invite-codes.php:61
actioninitincludes\functions.php:46
actionbp_before_account_details_fieldsincludes\functions.php:87
actionbp_invite_codes_errorsincludes\functions.php:113
actionbp_signup_validateincludes\functions.php:116
actionbp_core_signup_userincludes\functions.php:153
actionwpmu_activate_userincludes\functions.php:180
actionwpmu_activate_blogincludes\functions.php:192
actiongroups_create_group_step_save_group-settingsincludes\functions.php:394
actiongroups_group_settings_editedincludes\functions.php:395
actionbp_after_group_settings_adminincludes\functions.php:418
actionbp_after_group_settings_creation_stepincludes\functions.php:419
filterbp_get_group_join_buttonincludes\functions.php:633
actionadmin_menuincludes\settings.php:23
actionadd_meta_boxesincludes\settings.php:173
actionsave_postincludes\settings.php:182
actionadmin_initincludes\settings.php:185
filterredirect_post_locationincludes\settings.php:341
filterpost_updated_messagesincludes\settings.php:359
actioncmb2_admin_initincludes\settings.php:414
filtermanage_edit-bp-invite-codes_columnsincludes\settings.php:431
actionmanage_posts_custom_columnincludes\settings.php:479
Maintenance & Trust

BadgeOS Invite Codes Add-on Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedFeb 28, 2022
PHP min version
Downloads7K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

BadgeOS Invite Codes Add-on Alternatives

BadgeOS Community Add-on

BadgeOS Community Add-on

badgeos-community-add-on

A
85

Adds BadgeOS features to BuddyPress and bbPress. Earn badges/points/ranks based on community activity, and display them on user profiles and activity …

300 No CVEs
Open Badges Issuer Add-on

Open Badges Issuer Add-on

badgeos-open-badges-issuer-add-on

A
100

Issue Mozilla Open Badges directly from your site with this add-on for BadgeOS

10 No CVEs
BadgeOS Suggested Achievements Add-on

BadgeOS Suggested Achievements Add-on

badgeos-suggested-achievements-add-on

A
85

Enhances sites running BuddyPress and BadgeOS by suggesting next possible incomplete achievements that a user can earn.

10 No CVEs
Credly Custom Badge Assertion Shortcode

Credly Custom Badge Assertion Shortcode

credly-pro-custom-assertion

A
85

Easily create an official Credly Badge Assertion page on your site.

10 No CVEs
Activation Add-on for GamiPress

Activation Add-on for GamiPress

activation-add-on-for-gamipress

A
85

This GamiPress add-on adds a global switch in the Backend where the awarding of badges can be enabled and disabled.

0 No CVEs
Developer Profile

BadgeOS Invite Codes Add-on Developer Profile

learningtimes

12 plugins · 720 total installs

86
trust score
Avg Security Score
88/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect BadgeOS Invite Codes Add-on

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/badgeos-invite-codes-add-on/assets/js/sweetalert2.min.js/wp-content/plugins/badgeos-invite-codes-add-on/assets/css/sweetalert2.min.css/wp-content/plugins/badgeos-invite-codes-add-on/js/bp-invite-codes.js/wp-content/plugins/badgeos-invite-codes-add-on/css/admin.css
Script Paths
/wp-content/plugins/badgeos-invite-codes-add-on/js/bp-invite-codes.js
Version Parameters
badgeos-invite-codes-add-on/assets/js/sweetalert2.min.js?ver=badgeos-invite-codes-add-on/assets/css/sweetalert2.min.css?ver=badgeos-invite-codes-add-on/js/bp-invite-codes.js?ver=badgeos-invite-codes-add-on/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
bp-invite-codes-admin
HTML Comments
Copyright © 2012-2013 Credly, LLCThis program is free software: you can redistribute it and/or modify itunder the terms of the GNU Affero General Public License, version 3,as published by the Free Software Foundation.+6 more
Data Attributes
data-recipient-id
JS Globals
bp_invite_codes
FAQ

Frequently Asked Questions about BadgeOS Invite Codes Add-on