WP-Safety

BP Profile Search Security & Risk Analysis

wordpress.org/plugins/bp-profile-search

Member search and member directories for BuddyPress and the BuddyBoss Platform.

6K active installs v5.8.3 PHP + WP 6.1+ Updated Dec 14, 2025
buddypressdirectorymemberssearchusers
95
A · Safe
CVEs total3
Unpatched0
Last CVEAug 19, 2024
Plugin page Download
Safety Verdict

Is BP Profile Search Safe to Use in 2026?

Generally Safe

Score 95/100

BP Profile Search has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Aug 19, 2024Updated 5mo ago
Risk Assessment

The bp-profile-search plugin v5.8.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices such as 100% usage of prepared statements for SQL queries and includes nonce checks for its AJAX handlers. The absence of file operations and external HTTP requests is also a strength. However, several concerns warrant attention. The static analysis reveals a concerning 17% rate of proper output escaping, indicating a significant risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the presence of the `unserialize` function, coupled with a history of deserialization vulnerabilities, presents a critical risk if not handled with extreme caution and proper input validation. The vulnerability history shows a past critical vulnerability related to deserialization and other past issues like CSRF and XSS, suggesting a pattern of vulnerabilities that require diligent patching and secure coding practices. While the current version has no unpatched CVEs, the historical trend indicates a need for ongoing vigilance.

Key Concerns

  • Low rate of properly escaped output
  • Presence of unserialize function
  • Past critical vulnerability history
  • Past CSRF vulnerabilities
  • Past XSS vulnerabilities
Vulnerabilities
3 published

BP Profile Search Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
2

3 total CVEs

CVE-2024-7850medium · 6.1Cross-Site Request Forgery (CSRF)

BP Profile Search <= 5.7.5 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Aug 19, 2024 Patched in 5.8 (1d)
CVE-2024-22293medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BP Profile Search <= 5.5 - Reflected Cross-Site Scripting via BPS_FORM

Jan 17, 2024 Patched in 5.6 (6d)
WF-9d0c144b-609b-4b4a-bfb2-de38b5969a9e-bp-profile-searchcritical · 9Deserialization of Untrusted Data

BP Profile Search <= 4.5.3 - PHP Object Injection

Dec 9, 2016 Patched in 4.6 (2601d)
Version History

BP Profile Search Release Timeline

v5.8.3Current
v5.8.2
v5.8.1
v5.8
v5.7.51 CVE
CVE-2024-7850
v5.7.41 CVE
CVE-2024-7850
v5.7.31 CVE
CVE-2024-7850
v5.7.21 CVE
CVE-2024-7850
v5.7.11 CVE
CVE-2024-7850
v5.71 CVE
CVE-2024-7850
v5.61 CVE
CVE-2024-7850
v5.52 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.82 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.72 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.62 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.52 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.42 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.32 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.22 CVEs
CVE-2024-7850 CVE-2024-22293
v5.4.12 CVEs
CVE-2024-7850 CVE-2024-22293
Code Analysis
Analyzed Mar 16, 2026

BP Profile Search Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
36 prepared
Unescaped Output
173
36 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$f->d_value = unserialize ($value);bps-xprofile.php:201

SQL Query Safety

100% prepared36 total queries

Output Escaping

17% escaped209 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
bps_ajax_field_selector (bps-admin.php:163)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

BP Profile Search Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 3

authwp_ajax_bps_field_selectorbps-admin.php:162
authwp_ajax_bps_field_rowbps-admin.php:170
authwp_ajax_bps_template_optionsbps-admin.php:179

Shortcodes 2

[bps_directory] bps-directory.php:94
[bps_form] bps-form.php:50
WordPress Hooks 45
actionadd_meta_boxesbps-admin.php:3
actionsave_postbps-admin.php:220
filterdebug_informationbps-admin.php:288
actioninitbps-directory.php:63
actionbp_before_directory_members_contentbps-directory.php:201
actionbp_members_directory_order_optionsbps-directory.php:214
actionbp_before_directory_members_contentbps-directory.php:217
actionbp_before_members_loopbps-directory.php:280
filterbp_user_query_uid_clausesbps-directory.php:293
actionbp_directory_members_itembps-directory.php:294
filterbp_core_get_directory_page_idsbps-directory.php:346
filterbp_get_members_root_slugbps-directory.php:354
filterbp_members_get_user_urlbps-directory.php:360
filterbp_get_template_partbps-directory.php:381
filterbp_legacy_object_template_pathbps-directory.php:402
filterbp_nouveau_object_template_pathbps-directory.php:403
filterbps_add_fieldsbps-external.php:3
filterbps_add_fieldsbps-external.php:84
filterbps_add_fieldsbps-external.php:194
filterbps_add_fieldsbps-external.php:349
actionbp_before_directory_members_tabsbps-form.php:3
actionbps_display_formbps-form.php:44
actionadmin_noticesbps-main.php:15
actionbp_includebps-main.php:25
actionwpbps-request.php:3
filterbp_ajax_querystringbps-search.php:12
actionbps_field_before_querybps-search.php:91
filterbps_field_sqlbps-search.php:104
filterbps_field_search_resultsbps-search.php:121
actioninitbps-start.php:18
actioninitbps-start.php:24
actioninitbps-start.php:87
filtermanage_bps_form_posts_columnsbps-start.php:137
actionmanage_posts_custom_columnbps-start.php:154
filterbulk_actions-edit-bps_formbps-start.php:186
filterpost_row_actionsbps-start.php:198
filtermanage_edit-bps_form_sortable_columnsbps-start.php:208
filterrequestbps-start.php:215
filterpost_updated_messagesbps-start.php:228
filterbulk_post_updated_messagesbps-start.php:248
actionadmin_headbps-start.php:270
filterbp_get_template_stackbps-template.php:3
actionwidgets_initbps-widget.php:3
filterbps_add_fieldsbps-xprofile.php:3
filterbps_add_fieldsbps-xprofile.php:268
Maintenance & Trust

BP Profile Search Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 14, 2025
PHP min version
Downloads670K

Community Trust

Rating100/100
Number of ratings71
Active installs6K
Alternatives

BP Profile Search Alternatives

GEO my WP

GEO my WP

geo-my-wp

A
86

Advanced geolocation, mapping, and proximity search plugin. Geotag post types and BuddyPress members, and create advanced proximity search forms.

4K 6 CVEs
BP Distance Search

BP Distance Search

bp-distance-search

A
100

Adds a Google Place Autocomplete profile field type for BuddyPress, and enables search by distance with BP Profile Search.

100 No CVEs
Eonet Live Search

Eonet Live Search

eonet-live-search

A
85

Search dynamically in real time through all your site, including pages, posts, members, products & so on.

40 No CVEs
BP Better Directories

BP Better Directories

bp-better-directories

A
85

Fancy schmancy BuddyPress member directories.

10 No CVEs
BP Directory Views

BP Directory Views

bp-directory-views

A
92

Creates a uniform grid view for the Groups and Members directory pages.

10 No CVEs
Developer Profile

BP Profile Search Developer Profile

Andrea Tarantini

3 plugins · 7K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
693 days
View full developer profile
Detection Fingerprints

How We Detect BP Profile Search

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bp-profile-search/css/bps-directory.css/wp-content/plugins/bp-profile-search/js/bps-directory.js/wp-content/plugins/bp-profile-search/js/bps-members-directory.js/wp-content/plugins/bp-profile-search/css/bps-members-directory.css/wp-content/plugins/bp-profile-search/css/bps-members-widget.css/wp-content/plugins/bp-profile-search/js/bps-members-widget.js/wp-content/plugins/bp-profile-search/js/bps-autocomplete.js
Script Paths
/wp-content/plugins/bp-profile-search/js/bps-directory.js/wp-content/plugins/bp-profile-search/js/bps-members-directory.js/wp-content/plugins/bp-profile-search/js/bps-members-widget.js/wp-content/plugins/bp-profile-search/js/bps-autocomplete.js
Version Parameters
bp-profile-search/css/bps-directory.css?ver=bp-profile-search/js/bps-directory.js?ver=bp-profile-search/js/bps-members-directory.js?ver=bp-profile-search/css/bps-members-directory.css?ver=bp-profile-search/css/bps-members-widget.css?ver=bp-profile-search/js/bps-members-widget.js?ver=bp-profile-search/js/bps-autocomplete.js?ver=

HTML / DOM Fingerprints

CSS Classes
bps-directorybps-filtersbps-clearbps-field-wrapperbps-field-labelbps-field-contentbps-field-optionsbps-filter-input+8 more
Data Attributes
data-bps-templatedata-bps-ajax-templatedata-bps-showdata-bps-order-bydata-bps-split
JS Globals
bps_directorybps_directory_databps_members_directory_paramsbps_members_directorybps_members_widget_paramsbps_members_widget+2 more
Shortcode Output
[bps_directory]
FAQ

Frequently Asked Questions about BP Profile Search