Does BP Classic have any unpatched vulnerabilities?

No. All known vulnerabilities in BP Classic have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is BP Classic compatible with WordPress 6.6.5?

According to WordPress.org data, BP Classic 1.4.0 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is BP Classic compatible with PHP 5.6+?

BP Classic requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is BP Classic updated?

BP Classic was last updated on Jul 13, 2024. Frequent updates are generally a positive security signal.

What is BP Classic's security score?

BP Classic has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

BP Classic Security & Risk Analysis

wordpress.org/plugins/bp-classic

BP Classic, a BuddyPress (12.0.0 & up) backwards compatibility add-on

7K active installs v1.4.0 PHP 5.6+ WP 5.8+ Updated Jul 13, 2024

backcompatbuddypress

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is BP Classic Safe to Use in 2026?

Generally Safe

Score 92/100

BP Classic has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The "bp-classic" v1.4.0 plugin exhibits a strong security posture based on the provided static analysis. All identified entry points, including AJAX handlers, appear to have authentication checks, and there are no exposed REST API routes or shortcodes without permission callbacks. The absence of dangerous functions, raw SQL queries, file operations, and external HTTP requests further strengthens its security. The plugin also demonstrates good practices by utilizing prepared statements for all SQL queries and implementing a significant number of nonce checks. The fact that there are no recorded CVEs, either historically or currently unpatched, suggests a mature and well-maintained codebase.

However, a minor concern arises from the output escaping, where only 73% of outputs are properly escaped. While not indicating an immediate critical vulnerability, this could represent a potential avenue for cross-site scripting (XSS) attacks if user-supplied data is consistently rendered without sufficient sanitization. The presence of capability checks, while positive, is only noted once, which might be insufficient for a plugin with multiple AJAX handlers, though the analysis states all are protected.

Overall, "bp-classic" v1.4.0 appears to be a secure plugin with robust security measures in place. The main area for improvement lies in ensuring 100% output escaping across all rendering functions. The lack of historical vulnerabilities is a significant strength, indicating a proactive approach to security by the developers.

Key Concerns

Output escaping is not fully implemented

Vulnerabilities

None known

BP Classic Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

BP Classic Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

109

294 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

73% escaped403 total outputs

Data Flows

All sanitized

Data Flow Analysis

9 flows

bp_classic_groups_ajax_widget (inc\groups\widgets.php:38)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

BP Classic Attack Surface

Entry Points6

Unprotected0

AJAX Handlers 6

authwp_ajax_widget_friendsinc\friends\widgets.php:119

noprivwp_ajax_widget_friendsinc\friends\widgets.php:120

authwp_ajax_widget_groups_listinc\groups\widgets.php:120

noprivwp_ajax_widget_groups_listinc\groups\widgets.php:121

authwp_ajax_widget_membersinc\members\widgets.php:143

noprivwp_ajax_widget_membersinc\members\widgets.php:144

WordPress Hooks 80

actionbp_loadedclass-bp-classic.php:312

actionnetwork_admin_noticesclass-bp-classic.php:315

actionadmin_noticesclass-bp-classic.php:316

filterbp_classic_admin_display_directory_statesinc\activity\admin\functions.php:32

filterbp_activity_recurse_comments_templateinc\activity\filters.php:26

filterbp_classic_admin_display_directory_statesinc\blogs\admin\functions.php:32

actionbp_enqueue_scriptsinc\blogs\classes\class-bp-classic-blogs-recent-posts-widget.php:41

actionwidgets_initinc\blogs\widgets.php:32

actionbp_register_widgetsinc\blogs\widgets.php:35

actionbp_admin_initinc\core\admin\functions.php:31

filterdisplay_post_statesinc\core\admin\functions.php:58

actionbp_admin_submenu_pagesinc\core\admin\slugs.php:349

actionbp_admin_headinc\core\admin\slugs.php:360

filterbp_core_get_admin_settings_tabsinc\core\admin\slugs.php:379

actionbp_enqueue_scriptsinc\core\classes\class-bp-classic-core-login-widget.php:39

filterbp_core_get_directory_post_typeinc\core\filters.php:24

filterbp_core_get_query_parserinc\core\filters.php:36

actionbp_loadedinc\core\filters.php:55

filtertheme_root_uriinc\core\filters.php:73

actionbp_core_setup_globalsinc\core\filters.php:87

actionbp_core_removed_nav_iteminc\core\filters.php:101

actionbp_core_removed_subnav_iteminc\core\filters.php:102

actionbp_initinc\core\functions.php:503

actionbp_register_theme_directoryinc\core\functions.php:662

actionwidgets_initinc\core\widgets.php:29

actionbp_register_widgetsinc\core\widgets.php:31

filterdynamic_sidebar_paramsinc\core\widgets.php:87

actionbp_enqueue_scriptsinc\core\widgets.php:141

actionbp_members_parse_queryinc\forums\functions.php:35

actionbp_groups_parse_queryinc\forums\functions.php:36

actionbp_enqueue_scriptsinc\friends\classes\class-bp-classic-friends-widget.php:36

actionwidgets_initinc\friends\widgets.php:40

actionbp_register_widgetsinc\friends\widgets.php:42

actionbp_loadedinc\functions.php:34

actionbp_loadedinc\globals.php:46

filterbp_classic_admin_display_directory_statesinc\groups\admin\functions.php:32

actionbp_enqueue_scriptsinc\groups\classes\class-bp-classic-groups-widget.php:36

actionwidgets_initinc\groups\widgets.php:29

actionbp_register_widgetsinc\groups\widgets.php:31

action_bp_classic_includesinc\loader.php:76

actionbp_after_setup_themeinc\loader.php:93

actionbbp_buddypress_loadedinc\loader.php:103

filterbp_classic_admin_display_directory_statesinc\members\admin\functions.php:42

actionbp_enqueue_scriptsinc\members\classes\class-bp-classic-members-recently-active-widget.php:42

actionbp_enqueue_scriptsinc\members\classes\class-bp-classic-members-whos-online-widget.php:42

actionbp_enqueue_scriptsinc\members\classes\class-bp-classic-members-widget.php:45

actionwidgets_initinc\members\widgets.php:47

actionwidgets_initinc\members\widgets.php:48

actionwidgets_initinc\members\widgets.php:49

actionbp_register_widgetsinc\members\widgets.php:51

actionbp_enqueue_scriptsinc\messages\classes\class-bp-classic-messages-sitewide-notices-widget.php:39

actionwidgets_initinc\messages\widgets.php:29

actionbp_register_widgetsinc\messages\widgets.php:31

filterwp_unique_post_sluginc\migrate.php:69

actionbp_widgets_initinc\templates\nouveau.php:31

actionbp_widgets_initinc\templates\nouveau.php:34

actionwidgets_initinc\templates\nouveau.php:39

actionbp_after_setup_themeinc\templates\nouveau.php:43

actionbp_member_header_actionsthemes\bp-default\functions.php:119

actionbp_member_header_actionsthemes\bp-default\functions.php:123

actionbp_member_header_actionsthemes\bp-default\functions.php:127

actionbp_group_header_actionsthemes\bp-default\functions.php:131

actionbp_directory_groups_actionsthemes\bp-default\functions.php:132

actionbp_directory_blogs_actionsthemes\bp-default\functions.php:137

actionafter_setup_themethemes\bp-default\functions.php:140

actionwp_enqueue_scriptsthemes\bp-default\functions.php:191

actionwp_enqueue_scriptsthemes\bp-default\functions.php:236

actionwidgets_initthemes\bp-default\functions.php:456

filterbp_get_activity_action_pre_metathemes\bp-default\functions.php:574

actionadmin_noticesthemes\bp-default\functions.php:600

filterwp_page_menu_argsthemes\bp-default\functions.php:640

filtercomment_form_defaultsthemes\bp-default\functions.php:675

actioncomment_form_topthemes\bp-default\functions.php:705

actioncomment_formthemes\bp-default\functions.php:723

actionbp_sidebar_login_formthemes\bp-default\functions.php:740

filterbp_get_the_body_classthemes\bp-default\functions.php:782

actionbp_before_headerthemes\bp-default\functions.php:805

filterbp_get_the_profile_field_input_namethemes\bp-default\functions.php:826

actionafter_setup_themethemes\bp-default\_inc\ajax.php:78

filterbp_ajax_querystringthemes\bp-default\_inc\ajax.php:164

Maintenance & Trust

BP Classic Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedJul 13, 2024

PHP min version5.6

Downloads67K

Community Trust

Rating0/100

Number of ratings0

Active installs7K

Alternatives

BP Classic Alternatives

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs

rtMedia for WordPress, BuddyPress and bbPress

buddypress-media

Add albums, photo, audio/video upload, privacy, sharing, front-end uploads & more. All this works on mobile/tablets devices.

8K 12 CVEs

BuddyPress Docs

buddypress-docs

Adds collaborative Docs to BuddyPress.

7K 3 CVEs

WPML Multilingual for BuddyPress and BuddyBoss

buddypress-multilingual

100

WPML Multilingual for BuddyPress and BuddyBoss allows BuddyPress and BuddyBoss sites to run fully multilingual using the WPML plugin.

7K No CVEs

BP Profile Search

bp-profile-search

Member search and member directories for BuddyPress and the BuddyBoss Platform.

6K 3 CVEs

Developer Profile

BP Classic Developer Profile

BuddyPress

2 plugins · 107K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

1301 days

View full developer profile

Detection Fingerprints

How We Detect BP Classic

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bp-classic/assets/css/admin.css/wp-content/plugins/bp-classic/assets/css/bp-classic.css/wp-content/plugins/bp-classic/assets/css/bp-classic.min.css/wp-content/plugins/bp-classic/assets/js/bp-classic-admin.js/wp-content/plugins/bp-classic/assets/js/bp-classic.js/wp-content/plugins/bp-classic/assets/js/bp-classic.min.js

Version Parameters

bp-classic/assets/css/bp-classic.css?ver=bp-classic/assets/css/bp-classic.min.css?ver=bp-classic/assets/js/bp-classic.js?ver=bp-classic/assets/js/bp-classic.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

bp-classic-adminbp-classic-wrap

JS Globals

bp_classic_admin

FAQ