BP External Activity Security & Risk Analysis
wordpress.org/plugins/bp-external-activityAllows admins to import data from an arbitrary RSS feed into their BuddyPress sitewide activity stream
Is BP External Activity Safe to Use in 2026?
Generally Safe
Score 85/100BP External Activity has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The bp-external-activity v1.0 plugin exhibits a concerning security posture due to significant omissions in its code implementation. While the absence of dangerous functions, file operations, and external HTTP requests are positive indicators, the plugin fails to implement critical security measures. The presence of an unprotected AJAX handler represents a direct entry point for potential attackers. Furthermore, the complete lack of output escaping is a severe vulnerability, making all data processed by the plugin susceptible to cross-site scripting (XSS) attacks. The plugin also lacks any nonce or capability checks, further widening the attack surface for unauthorized actions. The complete absence of recorded vulnerabilities in its history is a positive sign, suggesting that past development may have been more robust or that the plugin has not been a target. However, the current static analysis reveals fundamental security flaws that need immediate attention.
Key Concerns
- Unprotected AJAX handler
- No output escaping
- No nonce checks
- No capability checks
BP External Activity Security Vulnerabilities
BP External Activity Code Analysis
Output Escaping
BP External Activity Attack Surface
AJAX Handlers 1
WordPress Hooks 6
Scheduled Events 1
Maintenance & Trust
BP External Activity Maintenance & Trust
Maintenance Signals
Community Trust
BP External Activity Alternatives
External Group RSS tab extension
external-group-rss-tab-extension
Adds tab in the Buddypress groups for external blog RSS feeds posts of group activity
BuddyPress Activity Shortcode
bp-activity-shortcode
BuddyPress Activity shortcode plugin allows you to insert BuddyPress activity stream on any page/post using shortcode.
Activity Plus Reloaded for BuddyPress
bp-activity-plus-reloaded
Note: This plugin will be discontinued by March 31st, 2025 in favor of BuddyPress Attachment plugin. Please migrate to the new plugin before that date …
BuddyPress Group Email Subscription
buddypress-group-email-subscription
This powerful plugin allows users to receive email notifications of group activity. Weekly or daily digests are available.
BuddyPress Edit Activity
buddypress-edit-activity
BuddyPress Edit Activity allows your members to edit their activity posts on the front-end of your BuddyPress-powered site.
BP External Activity Developer Profile
27 plugins · 12K total installs
How We Detect BP External Activity
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/bp-external-activity/bp-external-activity.phpHTML / DOM Fingerprints
Based in part on Andy Peatling's BP External Group Blogs
$external_activity_feeds must be populated with the details of each feed you'd like to import into the stream. feed_url is the URL of the RSS or Atom feed. feed_action is the template for the activity action message; it should contain two instances of %s, the first of which represents the user name and the second of which represents the link title. Enter whatever you'd like for component and type. show_text is the text that appears in the activity filter dropdown menu.
ajaxurl<option value="wiki_edit">Show Wiki Edits</option><option value="new_delicious_link">Show Delicious Links</option>