Buddypress Avatar Hover Security & Risk Analysis
wordpress.org/plugins/bp-avatar-hoverBuddyPress Avatar Hover let's you add a pop box when hovering on the group/member avatars and gives you more information at a glance.
Is Buddypress Avatar Hover Safe to Use in 2026?
Generally Safe
Score 85/100Buddypress Avatar Hover has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "bp-avatar-hover" v1.0 plugin exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practice in its SQL query handling by exclusively using prepared statements and has no recorded vulnerability history, these strengths are overshadowed by critical weaknesses.
The static analysis reveals that all four identified AJAX entry points lack proper authentication checks, creating a substantial attack surface that is ripe for exploitation. Furthermore, a significant concern is the complete absence of output escaping, meaning any data processed or displayed by the plugin could potentially be vulnerable to cross-site scripting (XSS) attacks. The taint analysis, though limited, identified flows with unsanitized paths, which could lead to further vulnerabilities if not addressed.
In conclusion, despite the absence of known CVEs and secure SQL practices, the "bp-avatar-hover" plugin presents a high risk due to its unprotected AJAX endpoints and pervasive lack of output escaping. These fundamental security oversights leave the plugin and potentially the WordPress site vulnerable to various attacks. It is highly recommended that these issues be addressed immediately.
Key Concerns
- 4 AJAX handlers without auth checks
- 0% output escaping
- 0 nonce checks
- 0 capability checks
- Taint analysis shows unsanitized paths
Buddypress Avatar Hover Security Vulnerabilities
Buddypress Avatar Hover Code Analysis
SQL Query Safety
Output Escaping
Data Flow Analysis
Buddypress Avatar Hover Attack Surface
AJAX Handlers 4
WordPress Hooks 4
Maintenance & Trust
Buddypress Avatar Hover Maintenance & Trust
Maintenance Signals
Community Trust
Buddypress Avatar Hover Alternatives
Wbcom Designs – Shortcodes & Elementor Widgets For BuddyPress
shortcodes-for-buddypress
This plugin generates shortcodes for Listing Activity Streams, Members, and Groups on any website post or page.
BP Local Avatars
bp-local-avatars
A BuddyPress plugin that creates Gravatar avatars for any user or group without one, and stores them locally.
BuddyPress Group Email Subscription
buddypress-group-email-subscription
This powerful plugin allows users to receive email notifications of group activity. Weekly or daily digests are available.
BP Group Management
bp-group-management
Allows site administrators to manage group membership on versions of BuddyPress earlier than 1.7.
BuddyPress Default Group Avatar
bp-default-group-avatar
Adds a default group avatar to BuddyPress without disabling Gravatars for users.
Buddypress Avatar Hover Developer Profile
4 plugins · 60 total installs
How We Detect Buddypress Avatar Hover
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/bp-avatar-hover/css/bp-pop.css/wp-content/plugins/bp-avatar-hover/js/jquery.tooltipster.js/wp-content/plugins/bp-avatar-hover/js/bp-pop.js/wp-content/plugins/bp-avatar-hover/js/jquery.tooltipster.js/wp-content/plugins/bp-avatar-hover/js/bp-pop.jsbp-avatar-hover/css/bp-pop.css?ver=bp-avatar-hover/js/jquery.tooltipster.js?ver=bp-avatar-hover/js/bp-pop.js?ver=HTML / DOM Fingerprints
g-hover-cardg-hover-card-imguser-avatar-popbottom-poppop-fontpop-minuspop-pluspop-accept+7 moreid="non-pop"id="friends-container"window._member