Activity Plus Reloaded for BuddyPress Security & Risk Analysis

The 'bp-activity-plus-reloaded' plugin v1.1.2 exhibits a concerning security posture, primarily due to its significant number of unprotected AJAX handlers and a history of unpatched vulnerabilities. While the plugin demonstrates good practices in using prepared statements for SQL queries and includes some nonce and capability checks, these strengths are overshadowed by critical weaknesses. The static analysis reveals 6 AJAX handlers, all of which lack authentication checks, creating a large attack surface accessible to unauthenticated users. Furthermore, the taint analysis indicates flows with unsanitized paths, suggesting potential for vulnerabilities. The plugin's vulnerability history is particularly worrying, with 3 known CVEs, 2 of which remain unpatched. These past vulnerabilities have included Cross-site Scripting (XSS), Missing Authorization, and Server-Side Request Forgery (SSRF), indicating a pattern of recurring security flaws. The recent nature of the last vulnerability (2025-10-12) is also a red flag, suggesting ongoing development or persistent issues.

In conclusion, while the plugin utilizes prepared statements and some security checks, the prevalence of unprotected entry points and the history of unpatched vulnerabilities, including critical types, make this plugin a high-risk component. The unpatched vulnerabilities and missing authorization checks on AJAX handlers are the most significant concerns, demanding immediate attention. Users should exercise extreme caution and consider disabling or replacing this plugin until these issues are fully addressed.