WP-Safety

BP Messages Tool Security & Risk Analysis

wordpress.org/plugins/bp-messages-tool

A BuddyPress tool for viewing messages

200 active installs v2.5 PHP + WP 4.0+ Updated Apr 30, 2025
buddypressmessages
91
A · Safe
CVEs total1
Unpatched0
Last CVEApr 29, 2025
Plugin page Download
Safety Verdict

Is BP Messages Tool Safe to Use in 2026?

Generally Safe

Score 91/100

BP Messages Tool has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 29, 2025Updated 1yr ago
Risk Assessment

The "bp-messages-tool" v2.5 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a commendably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication or proper checks. Furthermore, the plugin demonstrates good practices by using prepared statements for 95% of its SQL queries, and it has a reasonable number of nonce checks. The absence of critical or high severity taint analysis findings and no currently unpatched CVEs are also encouraging signs. However, there are areas of concern. Only 62% of output is properly escaped, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities, which aligns with its history of a medium severity XSS vulnerability. The lack of capability checks for any entry points is a significant weakness, as it means that any user, regardless of their role, could potentially trigger plugin functionality. While the attack surface is small, the absence of capability checks on any potential entry points is a notable oversight.

Key Concerns

  • Insufficient output escaping
  • Missing capability checks
  • Medium severity vulnerability in history
Vulnerabilities
1 published

BP Messages Tool Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-43839medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BP Messages Tool <= 2.2 - Reflected Cross-Site Scripting

Apr 29, 2025 Patched in 2.5 (7d)
Version History

BP Messages Tool Release Timeline

v2.5Current
v2.41 CVE
CVE-2025-43839
v2.31 CVE
CVE-2025-43839
v2.21 CVE
CVE-2025-43839
v2.11 CVE
CVE-2025-43839
v2.01 CVE
CVE-2025-43839
v1.51 CVE
CVE-2025-43839
v1.41 CVE
CVE-2025-43839
v1.31 CVE
CVE-2025-43839
v1.21 CVE
CVE-2025-43839
v1.11 CVE
CVE-2025-43839
v1.01 CVE
CVE-2025-43839
Code Analysis
Analyzed Mar 16, 2026

BP Messages Tool Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
21 prepared
Unescaped Output
16
26 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

95% prepared22 total queries

Output Escaping

62% escaped42 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

3 flows
bpmt_get_member (bpmt.php:108)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

BP Messages Tool Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 6
actionadmin_menubpmt.php:9
filterbp_get_messages_paginationbpmt.php:458
filterbp_get_message_thread_last_message_datebpmt.php:468
actionadmin_noticesloader.php:18
actionplugins_loadedloader.php:20
actionbp_loadedloader.php:39
Maintenance & Trust

BP Messages Tool Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 30, 2025
PHP min version
Downloads15K

Community Trust

Rating100/100
Number of ratings6
Active installs200
Alternatives

BP Messages Tool Alternatives

BuddyPress Default Data

BuddyPress Default Data

bp-default-data

A
92

Plugin will create lots of users, messages, friends connections, groups, topics, activity items, profile data - useful for testing purpose.

400 No CVEs
BuddyPress Message Attachment

BuddyPress Message Attachment

buddypress-message-attachment

A
92

Send attachments with private messages in BuddyPress!

200 No CVEs
bbPress Messages

bbPress Messages

bbp-messages

A
85

bbPress Messages - Simple yet powerful private messaging system tailored for bbPress.

100 No CVEs
BuddyPress Messaging Control

BuddyPress Messaging Control

bp-messaging-control

A
92

This plugin is a Swiss Army Knife for messaging, It allows the site admin to place restrictions on public and private messages including general rules &hellip;

90 No CVEs
BuddyPress Restrict Messages

BuddyPress Restrict Messages

buddypress-restrict-messages

A
92

This plugin allows the site admin to restrict who can send private messages or to enable the users to choose themselves.

70 No CVEs
Developer Profile

BP Messages Tool Developer Profile

shanebp

9 plugins · 2K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
124 days
View full developer profile
Detection Fingerprints

How We Detect BP Messages Tool

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
wrap
Data Attributes
name="bpmt-form"id="bpmt-form"name="bpmt-user"id="bpmt"name="bpmt-box"name="bpmt-submit"+1 more
FAQ

Frequently Asked Questions about BP Messages Tool