[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbRG9XL7265tBenDAQPWGefNTaBcSPJMPajy7usdHm4o":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":38,"analysis":123,"fingerprints":297},"bp-avatar-hover","Buddypress Avatar Hover","1.0","aghajoon","https:\u002F\u002Fprofiles.wordpress.org\u002Faghajoon\u002F","\u003Cp>BuddyPress  Avatar Hover let’s you add a pop box when hovering on the group\u002Fmember avatars and gives you more information at a glance.\u003Cbr \u002F>\nif you install bp-cover plugin , bp avatar hover show cover of memeber\u002Fgroup\u003C\u002Fp>\n","BuddyPress  Avatar Hover let's you add a pop box when hovering on the group\u002Fmember avatars and gives you more information at a glance.",10,5312,100,1,"2016-06-07T14:09:00.000Z","4.5.33","3.8","",[20,21,22,23,24],"activity","avatar","buddypress","groups","members","http:\u002F\u002Fwebcaffe.ir","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbp-avatar-hover.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":34,"avg_security_score":27,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},4,60,30,84,"2026-04-03T23:04:20.708Z",[39,57,74,95,109],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":11,"last_updated":50,"tested_up_to":51,"requires_at_least":52,"requires_php":18,"tags":53,"homepage":55,"download_link":56,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"shortcodes-for-buddypress","Wbcom Designs – Shortcodes & Elementor Widgets For BuddyPress","2.9.1","wbcomdesigns","https:\u002F\u002Fprofiles.wordpress.org\u002Fwbcomdesigns\u002F","\u003Cp>This plugin will add an extended feature to BuddyPress. It will use Shortcode for Listing Activity Streams, Members directory, and Groups directory on any post or page within the website.\u003C\u002Fp>\n\u003Cp>With our current update, we have added three widgets to display the activity stream, member directory, and group directory using Elementor.\u003C\u002Fp>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F554193567\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\n\u003Ch3>THEME – WORDPRESS THEME WITH OUTSTANDING BUDDYPRESS SUPPORT\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fbuddyx\u002F\" rel=\"ugc\">FREE BuddyPress Theme: BuddyX\u003C\u002Fa> – Offers unique layouts with clean code and easy-to-customise options, giving you a whole new way to visualize BuddyPress.\u003C\u002Fli>\n\u003C\u002Ful>\n","This plugin generates shortcodes for Listing Activity Streams, Members, and Groups on any website post or page.",700,51623,92,"2025-09-22T06:44:00.000Z","6.8.5","5.0.0",[20,22,54,23,24],"buddypress-shortcodes","https:\u002F\u002Fgithub.com\u002Fwbcomdesigns\u002Fshortcodes-for-buddypress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-for-buddypress.2.9.1.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":13,"downloaded":65,"rating":66,"num_ratings":67,"last_updated":68,"tested_up_to":51,"requires_at_least":69,"requires_php":18,"tags":70,"homepage":18,"download_link":73,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"bp-local-avatars","BP Local Avatars","3.0","shanebp","https:\u002F\u002Fprofiles.wordpress.org\u002Fshanebp\u002F","\u003Cp>BP Local Avatars is a BuddyPress plugin.\u003C\u002Fp>\n\u003Cp>Do you have members or groups on your BuddyPress site who do not have an Avatar?\u003Cbr \u002F>\nAnd you do not want to show the generic default avatar?\u003Cbr \u002F>\nOr maybe you do not want each page view to include a lot of calls to gravatar.com to load avatars?\u003C\u002Fp>\n\u003Cul>\n\u003Cli>This plugin will create a Gravatar Identicon avatar, thumb and full versions, for any user who does not already have an Avatar, and save it locally.\u003C\u002Fli>\n\u003Cli>Supports user creation, user registration, user login, and Bulk Generation for user and groups.\u003C\u002Fli>\n\u003Cli>Uses the existing BuddyPress avatar directory structure.\u003C\u002Fli>\n\u003Cli>Conforms to the defined sizes for BuddyPress thumb and full avatars.\u003C\u002Fli>\n\u003Cli>Users can still upload an avatar via their profile.\u003C\u002Fli>\n\u003Cli>Groups can still upload an avatar via Group > Manage > Photo.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Usage:\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>Provides an option in wp-admin under:\u003Cbr \u002F>\nSettings -> Discussion > Default Avatar > BuddyPress Identicon (Generated and Stored Locally).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Select and Save. Otherwise this plugin will not do anything.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>After saving, you will see a link to ‘Bulk Generate’ avatars for all users and groups who do not have a local avatar. If a user already has their own Gravatar, it will save it locally.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>For more BuddyPress plugins, please visit \u003Ca href=\"https:\u002F\u002Fwww.philopress.com\u002F\" rel=\"nofollow ugc\">PhiloPress\u003C\u002Fa>\u003C\u002Fp>\n","A BuddyPress plugin that creates Gravatar avatars for any user or group without one, and stores them locally.",10578,82,7,"2025-04-19T17:32:00.000Z","4.0",[71,22,72,23,24],"avatars","gravatars","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbp-local-avatars.3.0.zip",{"slug":75,"name":76,"version":77,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":82,"downloaded":83,"rating":84,"num_ratings":85,"last_updated":86,"tested_up_to":87,"requires_at_least":88,"requires_php":89,"tags":90,"homepage":93,"download_link":94,"security_score":49,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"buddypress-group-email-subscription","BuddyPress Group Email Subscription","4.2.4","Boone Gorges","https:\u002F\u002Fprofiles.wordpress.org\u002Fboonebgorges\u002F","\u003Cp>This powerful plugin allows users to receive email notifications of group activity. Weekly or daily digests are available. Each user can choose how they want to subscribe to their groups.\u003C\u002Fp>\n\u003Cp>Please note that this plugin requires BuddyPress, as well as the BuddyPress Groups and Activity components.\u003C\u002Fp>\n\u003Cp>EMAIL SUBSCRIPTION LEVELS\u003Cbr \u002F>\nThere are 5 levels of email subscription options:\u003C\u002Fp>\n\u003Col>\n\u003Cli>No Email – Read this group on the web\u003C\u002Fli>\n\u003Cli>Weekly Summary Email – A summary of new topics each week\u003C\u002Fli>\n\u003Cli>Daily Digest Email – All the day’s activity bundled into a single email\u003C\u002Fli>\n\u003Cli>New Topics Email – Send new topics as they arrive (but don’t send replies)\u003C\u002Fli>\n\u003Cli>All Email – Send all group activity as it arrives\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>DEFAULT SUBSCRIPTION STATUS\u003Cbr \u002F>\nGroup admins can choose one of the 5 subscription levels as a default that gets applied when new members join.\u003C\u002Fp>\n\u003Cp>DIGEST AND SUMMARY EMAILS\u003Cbr \u002F>\nThe daily digest email is sent every morning and contains all the emails from all the groups a user is subscribed to. The digest begins with a helpful topic summary. The weekly summary email contains the topic titles from the past week by default. Summary and digest timing can be configured in the back end. (The admin can view a sample of the digests and summaries in the queue by going adding this to your url: mydomain.com\u002Fsum=1. This won’t send emails just show what will be sent)\u003C\u002Fp>\n\u003Cp>HTML EMAILS\u003Cbr \u002F>\nThe digest and summary emails are sent out in multipart HTML and plain text email format. This makes the digest much more readable with better links. The email is multipart so users who need only plain text will get plain text.\u003C\u002Fp>\n\u003Cp>EMAILS FOR TOPICS I’VE STARTED OR COMMENTED ON (only available with BuddyPress legacy discussion forums)\u003Cbr \u002F>\nUsers receive email notifications when someone replies to a topic they create or comment on (similar to Facebook). This happens whether they are subscribed or not. Users can control this behaviour in their notifications page.\u003C\u002Fp>\n\u003Cp>TOPIC FOLLOW AND MUTE (only available with BuddyPress legacy discussion forums)\u003Cbr \u002F>\nUsers who are not fully subscribed to a group (ie. maybe they are on digest) can choose to get immediate email updates for specific topic threads. Any subsequent replies to that thread will be emailed to them. In an opposite way, users who are fully subscribed to a group but want to stop getting emails from a specific (perhaps annoying) thread can choose to mute that topic.  bbPress plugin users can utilize the “Subscribe” \u002F “Notify me of follow-up replies via email” option.\u003C\u002Fp>\n\u003Cp>ADMIN NOTIFICATION\u003Cbr \u002F>\nGroup admins can send out an email to all group members from the group’s admin section. This feature is helpful to quickly communicate to the whole group, but it should be used with caution.\u003C\u002Fp>\n\u003Cp>GROUP ADMINS CAN SET SUBSCRIPTION LEVEL\u003Cbr \u002F>\nGroup admins can set the subscription level for existing users on the group’s “Admin > Manage Members” page – either one by one or all at once.\u003C\u002Fp>\n\u003Cp>SPAM PROTECTION\u003Cbr \u002F>\nTo protect against spam, you can set a minimum number of days users need to be registered before their group activity will be emailed to other users. This feature is off by default, but can be enabled in the admin.\u003C\u002Fp>\n\u003Cp>TRANSLATORS\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Brazilian Portuguese – www.about.me\u002Fdennisaltermann (or www.congregacao.net)\u003C\u002Fli>\n\u003Cli>Catalan – Sara Arjona Téllez\u003C\u002Fli>\n\u003Cli>Danish – Morten Nalholm\u003C\u002Fli>\n\u003Cli>Dutch – Anja werkgroepen.net\u002Fwordpress, Tim de Hoog\u003C\u002Fli>\n\u003Cli>Farsi – Vahid Masoomi http:\u002F\u002Fwww.AzUni.ir\u003C\u002Fli>\n\u003Cli>French – http:\u002F\u002Fwww.claudegagne-photo.com, Sylvain Ghysens\u003C\u002Fli>\n\u003Cli>German – Peter Peterson, Thorsten Wollenhöfer, Jörg Lohrer\u003C\u002Fli>\n\u003Cli>Hebrew – Iggy Pritzker\u003C\u002Fli>\n\u003Cli>Italian – Stefano Russo\u003C\u002Fli>\n\u003Cli>Japanese – https:\u002F\u002Fbuddypress.org\u002Fcommunity\u002Fmembers\u002Fchestnut_jp\u002F\u003C\u002Fli>\n\u003Cli>Lithuanian – Vincent G http:\u002F\u002Fwww.Host1Free.com\u003C\u002Fli>\n\u003Cli>Russian – http:\u002F\u002Fwww.viaestvita.net\u002Fgroups\u002F\u003C\u002Fli>\n\u003Cli>Spanish – Williams Castillo, Gregor Gimmy\u003C\u002Fli>\n\u003Cli>Swedish – Thomas Schneider, Joakim Hising\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>NOTE TO PLUGIN AUTHORS\u003Cbr \u002F>\nIf your plugin posts updates to the standard BuddyPress activity stream, then group members who are subscribed via 3. Daily Digest and 5. All Email will get your updates automatically. However people subscribed as 2. Weekly Summary and 4. New Topic will not. If you feel some of your plugin’s updates are very important and want to make sure all subscribed members receive them, you can filter ‘ass_this_activity_is_important’ and return TRUE when $type matches your activity. See the ass_this_activity_is_important() function in bp-activity-subscription-functions.phpfor more info.\u003C\u002Fp>\n\u003Cp>PLUGIN SUPPORTERS:\u003Cbr \u002F>\nMajor supporters: shambhalanetwork.org & commons.gc.cuny.edu\u003Cbr \u002F>\nOther supporters: bluedotproductions.com\u003C\u002Fp>\n\u003Cp>PLUGIN DEVELOPMENT\u003Cbr \u002F>\nFor bug reports or to add patches or translation files, please visit the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fboonebgorges\u002Fbuddypress-group-email-subscription\u002F\" rel=\"nofollow ugc\">GES Github page\u003C\u002Fa>.  Contributions are definitely welcome!\u003C\u002Fp>\n","This powerful plugin allows users to receive email notifications of group activity. Weekly or daily digests are available.",1000,230356,80,32,"2024-10-04T14:35:00.000Z","6.6.5","3.2","5.3",[91,20,92,22,23],"activities","bp","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fbuddypress-group-email-subscription\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbuddypress-group-email-subscription.4.2.4.zip",{"slug":96,"name":97,"version":98,"author":78,"author_profile":79,"description":99,"short_description":100,"active_installs":35,"downloaded":101,"rating":102,"num_ratings":103,"last_updated":104,"tested_up_to":18,"requires_at_least":18,"requires_php":18,"tags":105,"homepage":107,"download_link":108,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"bp-group-management","BP Group Management","0.6","\u003Cp>NOTE: This plugin is not recommended for users of BuddyPress 1.7+. Instead, use BP’s Groups panel in the Dashboard.\u003C\u002Fp>\n\u003Cp>This plugin creates an admin panel at Dashboard > BuddyPress > Group Management. On this panel, site admins can manage BP group membership by banning, unbanning, promoting and demoting current members of any group, adding members to any group, and deleting groups.\u003C\u002Fp>\n\u003Ch3>Translation credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Italian: Luca Camellini\u003C\u002Fli>\n\u003Cli>Turkish: gk\u003C\u002Fli>\n\u003Cli>German: Tom\u003C\u002Fli>\n\u003Cli>Dutch: \u003Ca href=\"http:\u002F\u002Fwerkgroepen.net\u002Fwordpress\u002F\" rel=\"nofollow ugc\">Anja\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Romanian, \u003Ca href=\"http:\u002F\u002Fwebhostinggeeks.com\u002F\" rel=\"nofollow ugc\">Web Geek Science\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>B. Radenovich, Slovak (\u003Ca href=\"http:\u002F\u002Fwebhostingw.com\u002F\" rel=\"nofollow ugc\">Web Hosting Watch\u003C\u002Fa>)\u003C\u002Fli>\n\u003C\u002Ful>\n","Allows site administrators to manage group membership on versions of BuddyPress earlier than 1.7.",38297,46,3,"2013-04-30T00:24:00.000Z",[22,23,106,24],"manage","http:\u002F\u002Fteleogistic.net\u002Fcode\u002Fbuddypress\u002Fbp-group-management","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbp-group-management.0.6.zip",{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":11,"downloaded":117,"rating":13,"num_ratings":14,"last_updated":118,"tested_up_to":18,"requires_at_least":18,"requires_php":18,"tags":119,"homepage":121,"download_link":122,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"bp-default-group-avatar","BuddyPress Default Group Avatar","0.2","Mike Martel","https:\u002F\u002Fprofiles.wordpress.org\u002Fmike_cowobo\u002F","\u003Cp>\u003Cem>This plugin is tested only with BP 1.6.2 and WordPress 3.5, and is not meant to be backwards compatible! If you’re running an older version of WordPress, use Vernon’s original plugin \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fbuddypress-default-group-avatar\u002F\" rel=\"ugc\">BuddyPress Group Default Avatar\u003C\u002Fa>\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>Allows specifying the URL of an image to use as the BuddyPress default group avatar. This makes it easy to distinguish groups from members who are using the mystery man default user avatar.\u003C\u002Fp>\n\u003Cp>It works in all situations (activity stream, groups, forums, directory, etc). Upload your image to somewhere within your theme and drop the full URL in the options screen.\u003C\u002Fp>\n\u003Cp>If you had \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fbuddypress-default-group-avatar\u002F\" rel=\"ugc\">BuddyPress Group Default Avatar\u003C\u002Fa> previously installed, this plugin will use the avatar set in that plugin. Otherwise it’s bundled with a default avatar for groups (see screenshots).\u003C\u002Fp>\n\u003Cp>Not tested on multisite\u002Fnetwork install yet (please confirm if it’s working!).\u003C\u002Fp>\n","Adds a default group avatar to BuddyPress without disabling Gravatars for users.",3769,"2012-12-19T19:07:00.000Z",[21,22,120,23],"default","http:\u002F\u002Ftrenvo.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbp-default-group-avatar.0.2.zip",{"attackSurface":124,"codeSignals":161,"taintFlows":221,"riskAssessment":281,"analyzedAt":296},{"hooks":125,"ajaxHandlers":145,"restRoutes":158,"shortcodes":159,"cronEvents":160,"entryPointCount":33,"unprotectedCount":33},[126,132,136,140],{"type":127,"name":128,"callback":129,"file":130,"line":131},"action","init","bp_pop_load_textdomain","bp-avatar-hover.php",19,{"type":127,"name":133,"callback":134,"file":130,"line":135},"wp_print_styles","load_styles_pop",28,{"type":127,"name":137,"callback":138,"file":130,"line":139},"wp_enqueue_scripts","load_js_pop",41,{"type":141,"name":142,"callback":143,"priority":11,"file":130,"line":144},"filter","bp_core_fetch_avatar","bp_pop_id_add",315,[146,150,153,156],{"action":147,"nopriv":148,"callback":147,"hasNonce":148,"hasCapCheck":148,"file":130,"line":149},"bp_pop_member",false,153,{"action":147,"nopriv":151,"callback":147,"hasNonce":148,"hasCapCheck":148,"file":130,"line":152},true,154,{"action":154,"nopriv":148,"callback":154,"hasNonce":148,"hasCapCheck":148,"file":130,"line":155},"bp_pop_group",264,{"action":154,"nopriv":151,"callback":154,"hasNonce":148,"hasCapCheck":148,"file":130,"line":157},265,[],[],[],{"dangerousFunctions":162,"sqlUsage":163,"outputEscaping":166,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":220},[],{"prepared":164,"raw":28,"locations":165},2,[],{"escaped":28,"rawEcho":35,"locations":167},[168,171,172,174,176,178,179,181,182,184,185,187,188,190,191,193,195,196,198,200,202,204,206,207,209,211,212,214,216,218],{"file":130,"line":169,"context":170},70,"raw output",{"file":130,"line":66,"context":170},{"file":130,"line":173,"context":170},102,{"file":130,"line":175,"context":170},103,{"file":130,"line":177,"context":170},110,{"file":130,"line":177,"context":170},{"file":130,"line":180,"context":170},112,{"file":130,"line":180,"context":170},{"file":130,"line":183,"context":170},114,{"file":130,"line":183,"context":170},{"file":130,"line":186,"context":170},118,{"file":130,"line":186,"context":170},{"file":130,"line":189,"context":170},119,{"file":130,"line":189,"context":170},{"file":130,"line":192,"context":170},123,{"file":130,"line":194,"context":170},128,{"file":130,"line":194,"context":170},{"file":130,"line":197,"context":170},133,{"file":130,"line":199,"context":170},184,{"file":130,"line":201,"context":170},195,{"file":130,"line":203,"context":170},214,{"file":130,"line":205,"context":170},218,{"file":130,"line":205,"context":170},{"file":130,"line":208,"context":170},223,{"file":130,"line":210,"context":170},233,{"file":130,"line":210,"context":170},{"file":130,"line":213,"context":170},235,{"file":130,"line":215,"context":170},238,{"file":130,"line":217,"context":170},241,{"file":130,"line":219,"context":170},257,[],[222,240,250],{"entryPoint":223,"graph":224,"unsanitizedCount":238,"severity":239},"bp_pop_member (bp-avatar-hover.php:45)",{"nodes":225,"edges":236},[226,231],{"id":227,"type":228,"label":229,"file":130,"line":230},"n0","source","$_POST (x14)",47,{"id":232,"type":233,"label":234,"file":130,"line":169,"wp_function":235},"n1","sink","echo() [XSS]","echo",[237],{"from":227,"to":232,"sanitized":148},14,"medium",{"entryPoint":241,"graph":242,"unsanitizedCount":164,"severity":239},"bp_pop_group (bp-avatar-hover.php:156)",{"nodes":243,"edges":248},[244,247],{"id":227,"type":228,"label":245,"file":130,"line":246},"$_POST (x2)",158,{"id":232,"type":233,"label":234,"file":130,"line":199,"wp_function":235},[249],{"from":227,"to":232,"sanitized":148},{"entryPoint":251,"graph":252,"unsanitizedCount":279,"severity":280},"\u003Cbp-avatar-hover> (bp-avatar-hover.php:0)",{"nodes":253,"edges":274},[254,256,257,260,265,268,272],{"id":227,"type":228,"label":255,"file":130,"line":230},"$_POST (x16)",{"id":232,"type":233,"label":234,"file":130,"line":169,"wp_function":235},{"id":258,"type":228,"label":259,"file":130,"line":230},"n2","$_POST",{"id":261,"type":233,"label":262,"file":130,"line":263,"wp_function":264},"n3","get_var() [SQLi]",289,"get_var",{"id":266,"type":228,"label":259,"file":130,"line":267},"n4",298,{"id":269,"type":270,"label":271,"file":130,"line":267},"n5","transform","→ bp_pop_is_user_online()",{"id":273,"type":233,"label":262,"file":130,"line":263,"wp_function":264},"n6",[275,276,277,278],{"from":227,"to":232,"sanitized":148},{"from":258,"to":261,"sanitized":151},{"from":266,"to":269,"sanitized":148},{"from":269,"to":273,"sanitized":151},16,"low",{"summary":282,"deductions":283},"The \"bp-avatar-hover\" v1.0 plugin exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practice in its SQL query handling by exclusively using prepared statements and has no recorded vulnerability history, these strengths are overshadowed by critical weaknesses.\n\nThe static analysis reveals that all four identified AJAX entry points lack proper authentication checks, creating a substantial attack surface that is ripe for exploitation. Furthermore, a significant concern is the complete absence of output escaping, meaning any data processed or displayed by the plugin could potentially be vulnerable to cross-site scripting (XSS) attacks. The taint analysis, though limited, identified flows with unsanitized paths, which could lead to further vulnerabilities if not addressed.\n\nIn conclusion, despite the absence of known CVEs and secure SQL practices, the \"bp-avatar-hover\" plugin presents a high risk due to its unprotected AJAX endpoints and pervasive lack of output escaping. These fundamental security oversights leave the plugin and potentially the WordPress site vulnerable to various attacks. It is highly recommended that these issues be addressed immediately.",[284,286,289,292,294],{"reason":285,"points":11},"4 AJAX handlers without auth checks",{"reason":287,"points":288},"0% output escaping",8,{"reason":290,"points":291},"0 nonce checks",5,{"reason":293,"points":291},"0 capability checks",{"reason":295,"points":291},"Taint analysis shows unsanitized paths","2026-03-17T00:17:51.997Z",{"wat":298,"direct":309},{"assetPaths":299,"generatorPatterns":303,"scriptPaths":304,"versionParams":305},[300,301,302],"\u002Fwp-content\u002Fplugins\u002Fbp-avatar-hover\u002Fcss\u002Fbp-pop.css","\u002Fwp-content\u002Fplugins\u002Fbp-avatar-hover\u002Fjs\u002Fjquery.tooltipster.js","\u002Fwp-content\u002Fplugins\u002Fbp-avatar-hover\u002Fjs\u002Fbp-pop.js",[],[301,302],[306,307,308],"bp-avatar-hover\u002Fcss\u002Fbp-pop.css?ver=","bp-avatar-hover\u002Fjs\u002Fjquery.tooltipster.js?ver=","bp-avatar-hover\u002Fjs\u002Fbp-pop.js?ver=",{"cssClasses":310,"htmlComments":326,"htmlAttributes":327,"restEndpoints":330,"jsGlobals":331,"shortcodeOutput":333},[311,312,313,314,315,316,317,318,319,320,321,322,323,324,325],"g-hover-card","g-hover-card-img","user-avatar-pop","bottom-pop","pop-font","pop-minus","pop-plus","pop-accept","pop-envelope","info-pop","title-pop","info-user-pop","to-mem","item-avatar-friend-pop","to-gro",[],[328,329],"id=\"non-pop\"","id=\"friends-container\"",[],[332],"window._member",[]]