WP-Safety

BuddyPress Poke Security & Risk Analysis

wordpress.org/plugins/bp-poke

BuddyPress Poke Plugin allow members to poke users just like facebook.

100 active installs v1.1.2 PHP + WP 4.5+ Updated Feb 10, 2020
buddypresspokeuser
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BuddyPress Poke Safe to Use in 2026?

Generally Safe

Score 85/100

BuddyPress Poke has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago
Risk Assessment

The bp-poke plugin version 1.1.2 presents a mixed security posture. On the positive side, it shows a strong adherence to secure database practices with all SQL queries utilizing prepared statements and no known past vulnerabilities, indicating a potentially stable development history. It also avoids dangerous functions, file operations, and external HTTP requests, which are common attack vectors.

However, significant concerns arise from the static analysis. The plugin has a single unprotected AJAX handler, representing a direct entry point for attackers without any authentication or authorization checks. Furthermore, all output in the plugin is unescaped, making it highly susceptible to Cross-Site Scripting (XSS) vulnerabilities where malicious code could be injected and executed in a user's browser.

While the lack of past CVEs and taint analysis findings is encouraging, it doesn't negate the immediate risks identified in the code. The unprotected AJAX handler and unescaped output are critical weaknesses that could be exploited to compromise user data or the integrity of the WordPress site. The plugin's strengths in secure database practices are overshadowed by these critical vulnerabilities.

Key Concerns

  • AJAX handler without authentication checks
  • No output escaping on any outputs
Vulnerabilities
None known

BuddyPress Poke Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

BuddyPress Poke Release Timeline

v1.1.2Current
v1.1.1
v1.1.0
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
Code Analysis
Analyzed Mar 16, 2026

BuddyPress Poke Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
0 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped6 total outputs
Attack Surface
1 unprotected

BuddyPress Poke Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_activity_filterbp-poke-screens.php:28
WordPress Hooks 12
actionbp_member_header_actionsbp-poke-actions.php:42
actionyz_social_buttonsbp-poke-actions.php:43
actionbp_initbp-poke-actions.php:57
actionbp_actionsbp-poke-actions.php:113
actionbp_setup_componentsbp-poke-component.php:71
actionbp_setup_navbp-poke-screens.php:24
actionbp_setup_theme_compatbp-poke-screens.php:25
filterbp_get_template_partbp-poke-screens.php:26
actionbp_template_titlebp-poke-screens.php:121
actionbp_template_contentbp-poke-screens.php:122
actionbp_loadedbp-poke.php:39
actionbp_initbp-poke.php:42
Maintenance & Trust

BuddyPress Poke Maintenance & Trust

Maintenance Signals

WordPress version tested5.3.21
Last updatedFeb 10, 2020
PHP min version
Downloads24K

Community Trust

Rating80/100
Number of ratings4
Active installs100
Alternatives

BuddyPress Poke Alternatives

BP Profile Search

BP Profile Search

bp-profile-search

A
95

Member search and member directories for BuddyPress and the BuddyBoss Platform.

6K 3 CVEs
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

youzify

C
52

The best BuddyPress plugin for building online communities, user profile, social networks, and membership sites on WordPress with tons of features.

6K 1 unpatched
Bulk Edit and Create User Profiles – WP Sheet Editor

Bulk Edit and Create User Profiles – WP Sheet Editor

bulk-edit-user-profiles-in-spreadsheet

A
100

Modern Bulk Editor for Users and Profiles, create and edit hundreds of users in a spreadsheet inside wp-admin. Quick edits.

1K 1 CVE
Dynamic User Directory

Dynamic User Directory

dynamic-user-directory

A
99

Powerful and feature-rich user directory based on user profile meta fields.

1K 1 CVE
JSON API User

JSON API User

json-api-user

A
97

Extends the JSON API Plugin to allow RESTful user registration, authentication & many other User Meta, BP functions. A Pro version is also available.

1K 1 CVE
Developer Profile

BuddyPress Poke Developer Profile

BuddyDev

15 plugins · 15K total installs

85
trust score
Avg Security Score
87/100
Avg Patch Time
17 days
View full developer profile
Detection Fingerprints

How We Detect BuddyPress Poke

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bp-poke/css/style.css/wp-content/plugins/bp-poke/js/poke.js
Script Paths
/wp-content/plugins/bp-poke/js/poke.js
Version Parameters
bp-poke/css/style.css?ver=bp-poke/js/poke.js?ver=

HTML / DOM Fingerprints

CSS Classes
bp-poke-user-listbp-poke-user-list-item
Data Attributes
data-poke-user-id
JS Globals
bp_poke
FAQ

Frequently Asked Questions about BuddyPress Poke