WP-Safety

bCMS Security & Risk Analysis

wordpress.org/plugins/bcms

A suite of tools that improve WordPress' CMS capabilities.

10 active installs v5.3 PHP + WP 3.3+ Updated Oct 30, 2014
bsuitecmscontent-managementformattingwidgets
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is bCMS Safe to Use in 2026?

Generally Safe

Score 85/100

bCMS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago
Risk Assessment

The "bcms" plugin version 5.3 exhibits a mixed security posture. While the static analysis indicates a relatively small attack surface with all identified entry points seemingly protected by authentication checks (no unprotected AJAX handlers or REST API routes), there are several concerning code signals. The presence of a "unserialize" function without explicit warnings about its use is a significant red flag, as it can lead to serious vulnerabilities if used with untrusted input. Furthermore, a substantial portion of SQL queries are not using prepared statements, increasing the risk of SQL injection. The low percentage of properly escaped output also poses a risk for cross-site scripting (XSS) vulnerabilities.

The plugin's vulnerability history is clean, with no known CVEs. This is a positive indicator, suggesting that the developers have either been diligent in securing the code or that the plugin has not been a significant target. However, the lack of historical vulnerabilities does not negate the risks identified in the static analysis. The strengths lie in the seemingly protected entry points and the absence of known exploits. The weaknesses are primarily in the insecure coding practices identified: the use of unserialize, raw SQL queries, and insufficient output escaping.

Key Concerns

  • Use of unserialize function
  • High percentage of SQL queries not prepared
  • Low percentage of properly escaped output
  • No nonce checks on entry points
Vulnerabilities
None known

bCMS Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

bCMS Code Analysis

Dangerous Functions
1
Raw SQL Queries
4
3 prepared
Unescaped Output
236
116 escaped
Nonce Checks
0
Capability Checks
6
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$post_orig = unserialize( serialize( $post )); // how else to prevent passing object by reference?components\listchildren.php:78

SQL Query Safety

43% prepared7 total queries

Output Escaping

33% escaped352 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
widget (components\class-bcms-wijax-widget.php:18)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

bCMS Attack Surface

Entry Points7
Unprotected0

AJAX Handlers 2

authwp_ajax_bcms-search-reindexcomponents\class-bcms-search.php:31
authwp_ajax_bcms-search-resetcomponents\class-bcms-search.php:32

Shortcodes 5

[innerindex] components\innerindex.php:6
[pagemenu] components\listchildren.php:8
[list_pages] components\listchildren.php:9
[attachmentsmenu] components\listchildren.php:10
[list_attachments] components\listchildren.php:11
WordPress Hooks 50
actionadmin_menuadmin.php:25
filterplugin_action_linksadmin.php:31
actionadmin_initadmin.php:40
actionwidgets_initbcms.php:26
filterprint_footer_scriptscomponents\class-bcms-postloop-scroller.php:42
filterwijax-actionscomponents\class-bcms-postloop-widget.php:22
filterposts_wherecomponents\class-bcms-postloop-widget.php:199
filterposts_wherecomponents\class-bcms-postloop-widget.php:202
filterposts_wherecomponents\class-bcms-postloop-widget.php:214
filterposts_wherecomponents\class-bcms-postloop-widget.php:218
filterposts_fieldscomponents\class-bcms-postloop-widget.php:252
filterposts_joincomponents\class-bcms-postloop-widget.php:253
filterposts_groupbycomponents\class-bcms-postloop-widget.php:254
filterposts_orderbycomponents\class-bcms-postloop-widget.php:255
filterposts_joincomponents\class-bcms-postloop-widget.php:266
filterposts_orderbycomponents\class-bcms-postloop-widget.php:267
filterposts_requestcomponents\class-bcms-postloop-widget.php:357
actioninitcomponents\class-bcms-postloop.php:26
actiontemplate_redirectcomponents\class-bcms-postloop.php:28
actionadmin_initcomponents\class-bcms-postloop.php:41
actionadmin_footercomponents\class-bcms-postloop.php:49
actioninitcomponents\class-bcms-search.php:12
filtersave_postcomponents\class-bcms-search.php:22
actionbcms_search_reindexcomponents\class-bcms-search.php:25
actionparse_querycomponents\class-bcms-search.php:39
filterposts_searchcomponents\class-bcms-search.php:131
filterposts_join_requestcomponents\class-bcms-search.php:132
filterposts_fields_requestcomponents\class-bcms-search.php:133
filterposts_orderby_requestcomponents\class-bcms-search.php:134
filterwijax-base-currentcomponents\class-bcms-wijax-widget.php:14
filterwijax-base-homecomponents\class-bcms-wijax-widget.php:15
actioninitcomponents\class-bcms-wijax.php:18
actionwidgets_initcomponents\class-bcms-wijax.php:19
filterquery_varscomponents\class-bcms-wijax.php:20
filterrequestcomponents\class-bcms-wijax.php:30
filterprint_footer_scriptscomponents\class-bcms-wijax.php:36
filtertemplate_redirectcomponents\class-bcms-wijax.php:126
filtercontent_save_precomponents\innerindex.php:7
filtersave_postcomponents\innerindex.php:9
filtergo_theme_page_summarycomponents\innerindex.php:10
filterprint_footer_scriptscomponents\late-enqueue.php:29
actionupdate_wpmu_optionscomponents\privacy.php:33
actionwpmu_optionscomponents\privacy.php:34
actionblog_privacy_selectorcomponents\privacy.php:37
actiontemplate_redirectcomponents\privacy.php:40
actiontemplate_redirectcomponents\privacy.php:47
actiondo_robotscomponents\privacy.php:57
actionwp_headcomponents\privacy.php:62
actionlogin_headcomponents\privacy.php:63
filteroption_ping_sitescomponents\privacy.php:67
Maintenance & Trust

bCMS Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38
Last updatedOct 30, 2014
PHP min version
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

bCMS Alternatives

Restrict Widgets

Restrict Widgets

restrict-widgets

A
85

All in one widgets and sidebars management in WordPress. Allows you to hide or display widgets on specified pages and restrict access for users.

4K No CVEs
Pagely MultiEdit

Pagely MultiEdit

pagely-multiedit

A
85

MultiEdit adds tinyMCE editable "blocks" to WordPress custom page templates.

300 No CVEs
Shortcode Generator

Shortcode Generator

shortcode-generator

C
63

Generate as many shortcodes. Keep pages synchronized for split testing, or reuse a specific peice of code on multiple pages.

100 1 unpatched
Navigation Du Lapin Blanc

Navigation Du Lapin Blanc

navigation-du-lapin-blanc

C
64

This plugin provides integrated navigation for your website. Use WordPress as a CMS for your website and think in navigation terms (main, sub etc.)

40 1 unpatched
bSuite

bSuite

bsuite

A
85

A suite of tools used to help surface interesting and popular stories as well as improve WordPress' CMS capabilities as an application platform.

10 1 CVE
Developer Profile

bCMS Developer Profile

Casey Bisson

7 plugins · 290 total installs

68
trust score
Avg Security Score
84/100
Avg Patch Time
3405 days
View full developer profile
Detection Fingerprints

How We Detect bCMS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bcms/components/js/edit_widgets.js/wp-content/plugins/bcms/components/js/scrollable.min.js/wp-content/plugins/bcms/components/css/scrollable.css
Script Paths
/wp-content/plugins/bcms/components/js/edit_widgets.js/wp-content/plugins/bcms/components/js/scrollable.min.js
Version Parameters
bcms/components/js/edit_widgets.js?ver=2

HTML / DOM Fingerprints

CSS Classes
scrollable
JS Globals
postloops_widgeteditor
FAQ

Frequently Asked Questions about bCMS