WP-Safety

bbPress Messages Security & Risk Analysis

wordpress.org/plugins/bbp-messages

bbPress Messages - Simple yet powerful private messaging system tailored for bbPress.

100 active installs v2.0.9.1 PHP + WP 3.0.1+ Updated Nov 15, 2017
bbpressbuddypressforumsmessagesprivate-messages
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is bbPress Messages Safe to Use in 2026?

Generally Safe

Score 85/100

bbPress Messages has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The "bbp-messages" v2.0.9.1 plugin exhibits a generally strong security posture based on the provided static analysis. The absence of AJAX handlers, REST API routes, shortcodes, and external HTTP requests significantly limits the plugin's attack surface. The low number of flows analyzed in the taint analysis and the complete absence of unsanitized paths or critical/high severity flows are positive indicators, suggesting no immediate, severe vulnerabilities were found within the scope of the analysis. Furthermore, the plugin has no recorded vulnerability history (CVEs), which is a significant strength and indicates a history of stable and secure development.

Key Concerns

  • Output escaping is less than 50%
  • SQL queries not using prepared statements for 23% of queries
  • Limited nonce checks for entry points
  • Limited capability checks for entry points
Vulnerabilities
None known

bbPress Messages Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

bbPress Messages Code Analysis

Dangerous Functions
0
Raw SQL Queries
14
46 prepared
Unescaped Output
135
118 escaped
Nonce Checks
5
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

77% prepared60 total queries

Output Escaping

47% escaped253 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
<Init> (Inc\Core\Init.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

bbPress Messages Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 78
actionadmin_initBbpMessages.php:153
actionactivated_pluginCheckReady.php:50
filterplugin_row_metaInc\Admin\Admin.php:70
filterbbpm_admin_tabsInc\Admin\Importers\bbPMessages.php:26
filterbbpm_bbpm_importer_message_strInc\Admin\Importers\bbPMessages.php:27
filterbbpm_admin_tabsInc\Admin\Settings.php:18
filterbbpm_settings_email_body_editor_valueInc\Admin\Settings.php:19
filterbbpm_settings_email_subject_editor_valueInc\Admin\Settings.php:20
filterbbpm_search_queryInc\Core\functions.php:475
actioninitInc\Core\Init.php:68
actioninitInc\Core\Init.php:69
actioninitInc\Core\Init.php:74
actioninitInc\Core\Init.php:76
actionwp_enqueue_scriptsInc\Core\Init.php:78
filterquery_varsInc\Core\Init.php:80
actionwpInc\Core\Init.php:82
actionwp_enqueue_scriptsInc\Core\Init.php:84
actionBPT_content-messagesInc\Core\Init.php:86
actionbbpm_template_headInc\Core\Init.php:88
filterbbpm_message_dataInc\Core\Init.php:90
filterbbpm_messageInc\Core\Init.php:92
filterbbpm_messageInc\Core\Init.php:93
filterbbpm_messageInc\Core\Init.php:94
filterbbpm_messageInc\Core\Init.php:95
filterbbpm_messageInc\Core\Init.php:96
filterbbpm_messageInc\Core\Init.php:97
filterbbpm_messageInc\Core\Init.php:98
filterbbpm_messageInc\Core\Init.php:99
filterbbpm_messageInc\Core\Init.php:100
filterbbpm_messageInc\Core\Init.php:101
filterbbpm_messageInc\Core\Init.php:102
filterbbpm_messageInc\Core\Init.php:103
filterbbpm_messageInc\Core\Init.php:104
filterbbpm_messageInc\Core\Init.php:105
filterbbpm_excerptInc\Core\Init.php:107
filterbbpm_excerptInc\Core\Init.php:108
filterbbpm_excerptInc\Core\Init.php:109
filterbbpm_excerptInc\Core\Init.php:110
filterbbpm_excerptInc\Core\Init.php:111
filterbbpm_excerptInc\Core\Init.php:112
filterbbpm_excerptInc\Core\Init.php:113
filterbbpm_excerptInc\Core\Init.php:114
filterbbpm_search_queryInc\Core\Init.php:116
filterbbpm_search_queryInc\Core\Init.php:117
actionbbpm_init_pre_send_messageInc\Core\Init.php:119
filterpre_get_document_titleInc\Core\Init.php:121
filterwp_titleInc\Core\Init.php:123
filterpre_get_document_titleInc\Core\Init.php:125
filterwp_titleInc\Core\Init.php:127
filterbbpm_notification_bodyInc\Core\Init.php:129
actionwidgets_initInc\Core\Init.php:135
actionbbpm_widget_start_outputInc\Core\Init.php:137
actionbbpm_widget_new_message_start_outputInc\Core\Init.php:139
filterbbpm_old_stringInc\Core\Init.php:141
filterwp_nav_menu_itemsInc\Core\Init.php:143
actionbbp_template_after_user_profileInc\Core\integrate.php:6
actionbbp_theme_after_reply_author_detailsInc\Core\integrate.php:22
actionbbp_user_edit_after_contactInc\Core\integrate.php:38
actionpersonal_options_updateInc\Core\integrate.php:56
actionedit_user_profile_updateInc\Core\integrate.php:58
filterbbpm_admin_tabsInc\Core\Shortcodes.php:59
actioninitInc\Lib\bbPress-Profile-Tabs\bbPressProfileTabs.php:31
actionwp_headInc\Lib\bbPress-Profile-Tabs\bbPressProfileTabs.php:36
actionwp_footerInc\Lib\bbPress-Profile-Tabs\bbPressProfileTabs.php:38
filterquery_varsInc\Lib\bbPress-Profile-Tabs\bbPressProfileTabs.php:40
actionwpInc\Lib\bbPress-Profile-Tabs\bbPressProfileTabs.php:42
actionbbp_template_before_user_profileInc\Lib\bbPress-Profile-Tabs\bbPressProfileTabs.php:44
filtercron_schedulesInc\Lib\wp-messages\src\wp-messages.php:333
filterWP_Messages_get_chat_meta_value_recipientsInc\Lib\wp-messages\src\wp-messages.php:907
filterWP_Messages_update_chat_meta_value_recipientsInc\Lib\wp-messages\src\wp-messages.php:908
filterWP_Messages_get_chat_meta_value_unreadInc\Lib\wp-messages\src\wp-messages.php:909
filterWP_Messages_update_chat_meta_value_unreadInc\Lib\wp-messages\src\wp-messages.php:910
filtercron_schedulesInc\Lib\wp-messages\src\wp-messages.php:912
actionWP_Messages_weekly_cleanupInc\Lib\wp-messages\src\wp-messages.php:919
actionWP_Messages_weekly_cleanupInc\Lib\wp-messages\src\wp-messages.php:921
actionWP_Messages_weekly_cleanupInc\Lib\wp-messages\src\wp-messages.php:925
actionadmin_initindex.php:49
actionplugins_loadedindex.php:54

Scheduled Events 1

WP_Messages_weekly_cleanup
Maintenance & Trust

bbPress Messages Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedNov 15, 2017
PHP min version
Downloads24K

Community Trust

Rating90/100
Number of ratings11
Active installs100
Alternatives

bbPress Messages Alternatives

BP Multiple Forum Post

BP Multiple Forum Post

bp-multiple-forum-post

A
85

Lets users cross-post a new bbpress forum topic in multiple BuddyPress group forums.

10 No CVEs
Group Forum Subscripton for BuddyPress

Group Forum Subscripton for BuddyPress

group-forum-subscription-for-buddypress

A
85

** Use of this plugin is not recommended in versions of BuddyPress 1.2 and higher. Please consider using BuddyPress Group Activity Notifications inste &hellip;

10 No CVEs
Forum Redirect

Forum Redirect

forum-redirect

A
100

Allows you to override the default behavior of bbPress forums, linking them to an external site.

0 No CVEs
wpForo Forum

wpForo Forum

wpforo

B
76

Number one WordPress forum plugin. Full-fledged forum solution with modern and responsive forum design. Community builder WordPress forum plugin.

20K 34 CVEs
CBX User Online & Last Login

CBX User Online & Last Login

cbxuseronline

A
100

Shows online users based on cookie for guest and session for registered user. It also records the last login of user.

900 No CVEs
Developer Profile

bbPress Messages Developer Profile

DevriX

12 plugins · 670 total installs

85
trust score
Avg Security Score
87/100
Avg Patch Time
9 days
View full developer profile
Detection Fingerprints

How We Detect bbPress Messages

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bbp-messages/Assets/css/widget-new-message.css/wp-content/plugins/bbp-messages/Assets/css/widget-my-chats.css/wp-content/plugins/bbp-messages/Assets/css/widget-search.css/wp-content/plugins/bbp-messages/Assets/css/widget-my-contacts.css/wp-content/plugins/bbp-messages/Assets/css/widget-welcome.css/wp-content/plugins/bbp-messages/Assets/css/widget-my-messages.css/wp-content/plugins/bbp-messages/Assets/css/main.css/wp-content/plugins/bbp-messages/Assets/js/main.js+4 more
Script Paths
/wp-content/plugins/bbp-messages/Assets/js/main.js/wp-content/plugins/bbp-messages/Assets/js/bbp-messages.js/wp-content/plugins/bbp-messages/Assets/js/bbpm-ajax.js/wp-content/plugins/bbp-messages/Assets/js/bbpm-chat.js/wp-content/plugins/bbp-messages/Assets/js/bbpm-compose.js
Version Parameters
bbp-messages/Assets/css/widget-new-message.css?ver=bbp-messages/Assets/css/widget-my-chats.css?ver=bbp-messages/Assets/css/widget-search.css?ver=bbp-messages/Assets/css/widget-my-contacts.css?ver=bbp-messages/Assets/css/widget-welcome.css?ver=bbp-messages/Assets/css/widget-my-messages.css?ver=bbp-messages/Assets/css/main.css?ver=bbp-messages/Assets/js/main.js?ver=bbp-messages/Assets/js/bbp-messages.js?ver=bbp-messages/Assets/js/bbpm-ajax.js?ver=bbp-messages/Assets/js/bbpm-chat.js?ver=bbp-messages/Assets/js/bbpm-compose.js?ver=

HTML / DOM Fingerprints

CSS Classes
bbpm-chat-containerbbpm-new-message-wrapperbbpm-widget-wrapbbpm-widget-welcomebbpm-widget-new-messagebbpm-widget-my-chatsbbpm-widget-my-messagesbbpm-widget-search+32 more
HTML Comments
<!-- bbPM: Private Message Box Widget --><!-- bbPM: New Message Widget --><!-- bbPM: My Chats Widget --><!-- bbPM: My Messages Widget -->+16 more
Data Attributes
data-bbpm-chat-iddata-bbpm-user-iddata-bbpm-compose-modaldata-bbpm-recipient-iddata-bbpm-chat-iddata-bbpm-message-id+2 more
JS Globals
bbpm_ajax_objectbbpm_composer_settings
REST Endpoints
/wp-json/bbpm/v1/chats/wp-json/bbpm/v1/messages/wp-json/bbpm/v1/send/wp-json/bbpm/v1/settings/wp-json/bbpm/v1/users
Shortcode Output
[bbp-messages][bbpm_compose_form][bbpm_conversation_list][bbpm_message_display]
FAQ

Frequently Asked Questions about bbPress Messages