WP-Safety

BadgeOS Submissions & Nominations Security & Risk Analysis

wordpress.org/plugins/badgeos-nomination-submission-add-on

With BadgeOS Submissions & Nominations you can easily review submissions and nominations from members.

10 active installs v1.2.5 PHP 7.0+ WP 4.0+ Updated Unknown
badgeosbadgesnominationsopen-badgesubmissions
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BadgeOS Submissions & Nominations Safe to Use in 2026?

Generally Safe

Score 100/100

BadgeOS Submissions & Nominations has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The "badgeos-nomination-submission-add-on" v1.2.5 plugin exhibits a mixed security posture. While the absence of recorded CVEs and a high percentage of properly escaped output are positive indicators, there are significant concerns stemming from the static analysis. The presence of multiple unprotected AJAX handlers and REST API routes creates a substantial attack surface. Specifically, two AJAX handlers and two REST API routes lack proper authentication or permission checks, making them vulnerable to unauthorized access and potential manipulation.

The taint analysis, while not revealing critical or high-severity issues, did identify two flows with unsanitized paths. This suggests a potential for input validation weaknesses that could be exploited, even if not immediately leading to severe consequences. The overall security is somewhat undermined by these entry points that do not adequately protect against malicious actors attempting to interact with the plugin's functionalities. The plugin shows good practices in its use of prepared statements for SQL queries and a decent number of nonce and capability checks, but these are overshadowed by the unprotected entry points.

Given the lack of historical vulnerabilities, it's difficult to draw strong conclusions about long-term maintenance and security responsiveness. However, the current static analysis highlights immediate risks that need addressing. The plugin has strengths in its SQL handling and output escaping, but its weaknesses lie in the exposed AJAX and REST API endpoints. A balanced view suggests that while the core logic might be sound, the plugin's integration points are not sufficiently secured, posing a risk that should be mitigated.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Flows with unsanitized paths
Vulnerabilities
None known

BadgeOS Submissions & Nominations Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

BadgeOS Submissions & Nominations Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
6 prepared
Unescaped Output
22
160 escaped
Nonce Checks
5
Capability Checks
3
File Operations
2
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

50% prepared12 total queries

Output Escaping

88% escaped182 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
badgeos_submission_column_action (includes\submission-actions.php:189)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

BadgeOS Submissions & Nominations Attack Surface

Entry Points6
Unprotected4

AJAX Handlers 4

authwp_ajax_update-feedbackincludes\functions.php:38
noprivwp_ajax_update-feedbackincludes\functions.php:39
authwp_ajax_get-feedbackincludes\functions.php:62
noprivwp_ajax_get-feedbackincludes\functions.php:63

REST API Routes 2

GET/wp-json/badgeos/block-nominations-listincludes\blocks\blocks.php:18
GET/wp-json/badgeos/block-submissions-listincludes\blocks\blocks.php:24
WordPress Hooks 50
actionadmin_enqueue_scriptsbadgeos-nomination-submission-addon.php:228
actionwp_enqueue_scriptsbadgeos-nomination-submission-addon.php:229
actionplugins_loadedbadgeos-nomination-submission-addon.php:231
filtergettextbadgeos-nomination-submission-addon.php:231
actionadmin_noticesbadgeos-nomination-submission-addon.php:313
actionplugins_loadedbadgeos-nomination-submission-addon.php:320
actionrest_api_initincludes\blocks\blocks.php:31
actioninitincludes\blocks\blocks.php:296
actioninitincludes\blocks\src\init.php:89
filterbulk_actions-edit-submissionincludes\functions.php:79
filterbulk_actions-edit-nominationincludes\functions.php:95
filterthe_contentincludes\functions.php:153
filterbadgeos_achievement_earned_byincludes\functions.php:170
filterhandle_bulk_actions-edit-submissionincludes\functions.php:243
filterhandle_bulk_actions-edit-nominationincludes\functions.php:244
actionbadgeos_general_settings_tab_headerincludes\integrations.php:10
actionbadgeos_general_settings_tab_contentincludes\integrations.php:11
actionbadgeos_tools_badgeos_informationincludes\integrations.php:13
actionbadgeos_award_achievementincludes\integrations.php:14
actionbadgeos_email_tools_settings_tab_headerincludes\integrations.php:17
actionbadgeos_email_tools_settings_tab_contentincludes\integrations.php:19
actionadmin_initincludes\integrations.php:21
actionadmin_noticesincludes\integrations.php:182
actionadmin_noticesincludes\integrations.php:232
actioncmb2_admin_initincludes\metaboxes.php:56
filterbadgeos_submission_cpt_status_updateincludes\metaboxes.php:70
filterbadgeos_nomination_cpt_status_updateincludes\metaboxes.php:71
actioncmb2_admin_initincludes\metaboxes.php:154
actionadd_meta_boxesincludes\metaboxes.php:168
actioncmb2_admin_initincludes\metaboxes.php:241
actioninitincludes\post_types.php:94
actioninitincludes\shortcodes\badgeos_nomination.php:27
actioninitincludes\shortcodes\badgeos_nominations.php:56
actioninitincludes\shortcodes\badgeos_submission.php:28
actionwpincludes\shortcodes\badgeos_submission.php:58
actioninitincludes\shortcodes\badgeos_submissions.php:76
filterpost_row_actionsincludes\submission-actions.php:129
filtermanage_edit-submission_columnsincludes\submission-actions.php:153
filtermanage_edit-nomination_columnsincludes\submission-actions.php:154
actionmanage_posts_custom_columnincludes\submission-actions.php:250
actionrestrict_manage_postsincludes\submission-actions.php:280
filterpre_get_postsincludes\submission-actions.php:304
actionsave_postincludes\submission-actions.php:349
filterbadgeos_notifications_submission_approved_messagesincludes\submission-actions.php:821
filterbadgeos_notifications_nomination_approved_messagesincludes\submission-actions.php:940
filterbadgeos_notifications_submission_denied_messagesincludes\submission-actions.php:1012
filterbadgeos_notifications_nomination_denied_messagesincludes\submission-actions.php:1090
filterbadgeos_notifications_submission_pending_messagesincludes\submission-actions.php:1164
filterbadgeos_notifications_nomination_pending_messagesincludes\submission-actions.php:1241
actioninitincludes\submission-actions.php:1538
Maintenance & Trust

BadgeOS Submissions & Nominations Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.0
Last updatedUnknown
PHP min version7.0
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

BadgeOS Submissions & Nominations Alternatives

WPLMS BadgeOS

WPLMS BadgeOS

wplms-badgeos

A
85

Connect WPLMS Learning Management System with BadgeOS platform

200 No CVEs
GamiPress – BadgeOS Importer

GamiPress – BadgeOS Importer

gamipress-badgeos-importer

A
100

Tool to migrate all stored data from BadgeOS to GamiPress

50 No CVEs
BadgeOS REST API Addon

BadgeOS REST API Addon

badgeos-rest-api-addon

A
85

Convert your BadgeOS badges into verifiable badges which are complying with the Open Badges Specifications, and are sharable across the web.

20 No CVEs
Custom Post Type Add-On for GamiPress

Custom Post Type Add-On for GamiPress

custom-post-type-add-on-for-gamipress

A
85

This GamiPress add-on adds triggers for publishing and commenting on custom post types.

10 No CVEs
myCred Badgr Integration

myCred Badgr Integration

mycred-badgr-achievement-badge

A
100

📢🚨 Important Notice: myCred Badgr is now part of the myCred Toolkit and will no longer receive updates here. Only security fixes will be provided.

10 No CVEs
Developer Profile

BadgeOS Submissions & Nominations Developer Profile

learningtimes

12 plugins · 720 total installs

86
trust score
Avg Security Score
88/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect BadgeOS Submissions & Nominations

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/badgeos-nomination-submission-add-on/assets/css/admin.css/wp-content/plugins/badgeos-nomination-submission-add-on/assets/css/frontend.css/wp-content/plugins/badgeos-nomination-submission-add-on/assets/js/admin.js/wp-content/plugins/badgeos-nomination-submission-add-on/assets/js/frontend.js/wp-content/plugins/badgeos-nomination-submission-add-on/assets/js/backend.js
Script Paths
/wp-content/plugins/badgeos-nomination-submission-add-on/assets/js/admin.js/wp-content/plugins/badgeos-nomination-submission-add-on/assets/js/frontend.js/wp-content/plugins/badgeos-nomination-submission-add-on/assets/js/backend.js
Version Parameters
badgeos-nomination-submission-add-on/assets/css/admin.css?ver=badgeos-nomination-submission-add-on/assets/css/frontend.css?ver=badgeos-nomination-submission-add-on/assets/js/admin.js?ver=badgeos-nomination-submission-add-on/assets/js/frontend.js?ver=badgeos-nomination-submission-add-on/assets/js/backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
bos-ns-submission-formbos-ns-nomination-formbos-ns-admin-notifications
HTML Comments
<!-- Badgeos Nomination & Submission Add-On by BadgeOS --><!-- BOS_Nomination_Submission class -->
Data Attributes
data-achievement-iddata-submission-noncedata-nomination-nonce
JS Globals
bos_ns_admin_ajaxbos_ns_frontend_ajax
REST Endpoints
/wp-json/badgeos-ns/v1/submission/wp-json/badgeos-ns/v1/nomination
Shortcode Output
[badgeos_submission_form][badgeos_nomination_form]
FAQ

Frequently Asked Questions about BadgeOS Submissions & Nominations