WP-Safety

BuddyPress Automatic Friends Security & Risk Analysis

wordpress.org/plugins/bp-automatic-friends

Automatically create and accept friendships for specified users upon new user registration. * Requires BuddyPress

200 active installs v2.0.8 PHP + WP 3.5+ Updated Jan 23, 2022
adminautomaticbuddypressfriendsinstant-friends
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BuddyPress Automatic Friends Safe to Use in 2026?

Generally Safe

Score 85/100

BuddyPress Automatic Friends has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The "bp-automatic-friends" plugin v2.0.8 exhibits a generally good security posture with a small attack surface consisting solely of AJAX handlers. Encouragingly, none of these AJAX handlers are exposed without authentication, and the plugin demonstrates robust SQL query sanitization through the consistent use of prepared statements. The absence of any recorded vulnerabilities, including CVEs, further strengthens its current security standing. However, a significant concern arises from the complete lack of output escaping for all 13 identified output points. This oversight creates a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, as untrusted data could be rendered directly in the browser, potentially allowing attackers to inject malicious scripts. While the plugin has no known historical vulnerabilities, the identified output escaping issue is a critical weakness that requires immediate attention.

Key Concerns

  • Output escaping is not properly implemented
Vulnerabilities
None known

BuddyPress Automatic Friends Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

BuddyPress Automatic Friends Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
13
0 escaped
Nonce Checks
4
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

0% escaped13 total outputs
Attack Surface

BuddyPress Automatic Friends Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_bpaf_suggest_global_friendinc\admin.php:61
authwp_ajax_bpaf_add_global_friendinc\admin.php:62
authwp_ajax_bpaf_delete_global_friendinc\admin.php:63
WordPress Hooks 10
actionbp_loadedbp-automatic-friends.php:79
actionadmin_noticesbp-automatic-friends.php:98
actionwpbp-automatic-friends.php:103
actionpersonal_optionsinc\admin.php:66
actionpersonal_options_updateinc\admin.php:67
actionedit_user_profile_updateinc\admin.php:68
actionadmin_initinc\admin.php:76
actionadmin_enqueue_scriptsinc\admin.php:77
actionadmin_initinc\update.php:62
actionadmin_noticesinc\update.php:103
Maintenance & Trust

BuddyPress Automatic Friends Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedJan 23, 2022
PHP min version
Downloads27K

Community Trust

Rating84/100
Number of ratings5
Active installs200
Alternatives

BuddyPress Automatic Friends Alternatives

aapanel WP Toolkit

aapanel WP Toolkit

aapanel-wp-toolkit

A
98

A better way to manage dozens of WordPress websites.

1K 1 CVE
Registration Options for BuddyPress

Registration Options for BuddyPress

bp-registration-options

A
85

Moderate new BuddyPress members and fight BuddyPress spam.

1K No CVEs
Invite Anyone

Invite Anyone

invite-anyone

B
83

Makes BuddyPress's invitation features more powerful.

1K 6 CVEs
WP Updates Settings

WP Updates Settings

wp-updates-settings

A
85

Configure WordPress updates settings through UI (User Interface).

1K No CVEs
WP Login Timeout Settings

WP Login Timeout Settings

wp-login-timeout-settings

A
85

Configure WordPress Login Timeout through UI (User Interface).

800 No CVEs
Developer Profile

BuddyPress Automatic Friends Developer Profile

Steven Word

2 plugins · 210 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect BuddyPress Automatic Friends

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bp-automatic-friends/css/bpaf-admin-styles.css/wp-content/plugins/bp-automatic-friends/js/bpaf-admin-scripts.js
Script Paths
/wp-content/plugins/bp-automatic-friends/js/bpaf-admin-scripts.js
Version Parameters
bp-automatic-friends/css/bpaf-admin-styles.css?ver=bp-automatic-friends/js/bpaf-admin-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
bpaf-settings-fieldbpaf-global-friends-wrapperbpaf-user-search-wrap
HTML Comments
<!-- BuddyPress Automatic Friends Core --><!-- Core plugin class --><!-- Load the admin --><!-- Do this the first time a new user logs in -->+22 more
Data Attributes
data-bpaf-actiondata-bpaf-user-iddata-bpaf-noncedata-bpaf-target-user-id
JS Globals
bpaf_global_vars
FAQ

Frequently Asked Questions about BuddyPress Automatic Friends