WP-Safety

Todo for BuddyPress & BuddyBoss Security & Risk Analysis

wordpress.org/plugins/bp-user-to-do-list

Transform your BuddyPress or BuddyBoss community into a powerful task management platform. Members can create personal todos, collaborate on group tas …

100 active installs v3.5.1 PHP 7.4+ WP 6.5+ Updated Oct 26, 2025
buddypressgroup-tasksproductivitytask-managementtodo-list
100
A · Safe
CVEs total1
Unpatched0
Last CVEApr 13, 2022
Plugin page Download
Safety Verdict

Is Todo for BuddyPress & BuddyBoss Safe to Use in 2026?

Generally Safe

Score 100/100

Todo for BuddyPress & BuddyBoss has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 13, 2022Updated 6mo ago
Risk Assessment

The "bp-user-to-do-list" v3.5.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL queries, utilizing prepared statements exclusively, and a high percentage of properly escaped output. The significant number of nonce and capability checks also suggests a developer aware of WordPress security best practices. The absence of external HTTP requests and file operations further limits the attack surface in those areas.

However, there are notable areas of concern. The plugin presents a considerable attack surface with 12 total entry points, a significant portion of which (8) lack authentication checks. This makes them prime targets for unauthorized actions. While taint analysis did not reveal critical or high severity issues, the presence of 2 flows with unsanitized paths indicates potential vulnerabilities if user input is not handled with extreme care in these specific flows. The vulnerability history, though currently showing no unpatched CVEs, includes a past medium severity vulnerability and a common pattern of missing authorization, which aligns with the static analysis findings of unprotected entry points.

In conclusion, while the plugin benefits from secure data handling for SQL and output, the large number of unprotected AJAX handlers is a significant weakness. The past vulnerability history, particularly the recurring theme of missing authorization, underscores the importance of addressing these unprotected entry points. The plugin has strengths in its data sanitization and input validation for database operations but needs improvement in access control for its numerous AJAX endpoints.

Key Concerns

  • 8 unprotected AJAX handlers
  • 2 flows with unsanitized paths
  • 1 past medium vulnerability (Missing Authorization)
  • Bundled libraries (DataTables, Select2)
Vulnerabilities
1 published

Todo for BuddyPress & BuddyBoss Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-listmedium · 6.3Missing Authorization

Wbcom Designs Plugins (Various Versions) - Arbitrary Plugin Installation, Activation and Deactivation

Apr 13, 2022 Patched in 3.0.0 (1057d)
Version History

Todo for BuddyPress & BuddyBoss Release Timeline

v3.5.1Current
v3.5.0
v3.4.0
v3.3.0
v3.2.0
v3.1.1
v3.1.0
v3.0.0
v2.4.01 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v2.3.01 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v2.2.01 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v2.1.01 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v2.0.11 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v2.0.01 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v1.0.61 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v1.0.51 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v1.0.41 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v1.0.31 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v1.0.11 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
v1.0.01 CVE
WF-74d222b9-22e9-485d-8111-d3bee505b200-bp-user-to-do-list
Code Analysis
Analyzed Mar 16, 2026

Todo for BuddyPress & BuddyBoss Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
83
873 escaped
Nonce Checks
26
Capability Checks
11
File Operations
1
External Requests
0
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

SQL Query Safety

100% prepared2 total queries

Output Escaping

91% escaped956 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
add_todo_tab_function_to_show_title (public\class-bptodo-public.php:703)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

Todo for BuddyPress & BuddyBoss Attack Surface

Entry Points12
Unprotected8

AJAX Handlers 10

authwp_ajax_wbcom_addons_cardsadmin\wbcom\wbcom-admin-settings.php:31
authwp_ajax_bptodo_network_deactivatebp-user-todo-list.php:448
authwp_ajax_bptodo_export_my_tasksincludes\class-bptodo.php:228
authwp_ajax_bptodo_remove_todoincludes\class-bptodo.php:231
authwp_ajax_bptodo_complete_todoincludes\class-bptodo.php:234
authwp_ajax_bptodo_undo_complete_todoincludes\class-bptodo.php:237
authwp_ajax_bptodo_add_todo_category_frontincludes\class-bptodo.php:240
authwp_ajax_bptodo_edit_form_popupincludes\class-bptodo.php:245
authwp_ajax_bptodo_update_form_popupincludes\class-bptodo.php:249
authwp_ajax_get_group_todo_reportincludes\class-bptodo.php:261

Shortcodes 2

[wbcom_admin_setting_header] admin\wbcom\wbcom-admin-settings.php:28
[bptodo_by_category] includes\class-bptodo.php:243
WordPress Hooks 77
actionadmin_initadmin\class-bptodo-feedback.php:68
actionadmin_initadmin\class-bptodo-feedback.php:69
actionadmin_noticesadmin\class-bptodo-feedback.php:147
actionadmin_menuadmin\wbcom\wbcom-admin-settings.php:29
actionadmin_enqueue_scriptsadmin\wbcom\wbcom-admin-settings.php:30
actionwidgets_initadmin\widget\class-user-todo.php:190
actionplugins_loadedbp-user-todo-list.php:22
actionplugins_loadedbp-user-todo-list.php:78
actionbp_loadedbp-user-todo-list.php:123
actioninitbp-user-todo-list.php:159
actionnetwork_admin_noticesbp-user-todo-list.php:173
actionadmin_noticesbp-user-todo-list.php:181
actionadmin_noticesbp-user-todo-list.php:188
actionadmin_noticesbp-user-todo-list.php:205
actionadmin_initbp-user-todo-list.php:209
actionactivated_pluginbp-user-todo-list.php:304
actionplugins_loadedbp-user-todo-list.php:331
actionactivated_pluginbp-user-todo-list.php:375
actionadmin_enqueue_scriptsbp-user-todo-list.php:433
filtersite_option_active_sitewide_pluginsbp-user-todo-list.php:483
actionwpinc\class-bptodo-globals.php:42
filterbptodo_exclude_modrator_viewincludes\bptodo-functions.php:65
filterbptodo_exclude_modrator_editincludes\bptodo-functions.php:105
actionwpincludes\bptodo-functions.php:134
actionadmin_initincludes\class-bptodo-data-retention.php:21
actionbptodo_daily_cleanupincludes\class-bptodo-data-retention.php:22
actionupdate_option_data-retention-settingsincludes\class-bptodo-data-retention.php:25
filterbp_email_get_schemaincludes\class-bptodo-emails.php:23
filterbp_email_get_type_schemaincludes\class-bptodo-emails.php:24
actionbp_initincludes\class-bptodo-emails.php:26
actionbp_initincludes\class-bptodo-emails.php:29
actionbp_initincludes\class-bptodo-emails.php:31
actionbp_loadedincludes\class-bptodo-emails.php:499
actionplugins_loadedincludes\class-bptodo.php:172
actionadmin_enqueue_scriptsincludes\class-bptodo.php:187
actionadmin_enqueue_scriptsincludes\class-bptodo.php:188
actioninitincludes\class-bptodo.php:189
actioninitincludes\class-bptodo.php:190
actionadmin_menuincludes\class-bptodo.php:191
actionadmin_initincludes\class-bptodo.php:192
actionadmin_initincludes\class-bptodo.php:193
actionplugins_loadedincludes\class-bptodo.php:195
actionwp_enqueue_scriptsincludes\class-bptodo.php:196
actionadmin_enqueue_scriptsincludes\class-bptodo.php:197
actionin_admin_headerincludes\class-bptodo.php:198
actionwp_enqueue_scriptsincludes\class-bptodo.php:212
actionwp_enqueue_scriptsincludes\class-bptodo.php:213
actionbp_initincludes\class-bptodo.php:215
actionbp_setup_navincludes\class-bptodo.php:216
actionbp_setup_navincludes\class-bptodo.php:217
actionbptodo_todo_notificationincludes\class-bptodo.php:219
actionbp_setup_admin_barincludes\class-bptodo.php:221
filtermanage_bp-todo_posts_columnsincludes\class-bptodo.php:222
actionmanage_bp-todo_posts_custom_columnincludes\class-bptodo.php:223
filterbp_notifications_get_registered_componentsincludes\class-bptodo.php:224
filterbp_notifications_get_notifications_for_userincludes\class-bptodo.php:225
actionwp_footerincludes\class-bptodo.php:247
actionbp_members_notification_settings_before_submitincludes\class-bptodo.php:251
actionbp_core_notification_settings_after_saveincludes\class-bptodo.php:253
actiongroups_custom_group_fields_editableincludes\class-bptodo.php:256
actiongroups_group_details_editedincludes\class-bptodo.php:257
filterbp_notifications_get_registered_componentsincludes\class-bptodo.php:258
actionbptodo_group_todo_submitincludes\class-bptodo.php:259
actionbptodo_group_todo_submitincludes\class-bptodo.php:260
actiontemplate_redirectincludes\class-bptodo.php:263
actionsave_post_bp-todoincludes\class-bptodo.php:266
actionbefore_delete_postincludes\class-bptodo.php:267
actionpre_get_postspublic\bptodo-plugin-genral-function.php:86
filtertemplate_includepublic\bptodo-plugin-genral-function.php:98
filterbp_nouveau_nav_has_countpublic\class-bptodo-groups-extension-tab.php:32
filterbp_nouveau_get_nav_countpublic\class-bptodo-groups-extension-tab.php:33
filtercron_schedulespublic\class-bptodo-public.php:32
actioninitpublic\class-bptodo-public.php:34
actionbp_template_contentpublic\class-bptodo-public.php:569
actionbp_template_titlepublic\class-bptodo-public.php:691
actionbp_template_contentpublic\class-bptodo-public.php:692
actionbp_template_contentpublic\class-bptodo-public.php:885

Scheduled Events 3

bptodo_daily_cleanup
bptodo_daily_cleanup
bptodo_todo_notification
Maintenance & Trust

Todo for BuddyPress & BuddyBoss Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 26, 2025
PHP min version7.4
Downloads20K

Community Trust

Rating74/100
Number of ratings6
Active installs100
Alternatives

Todo for BuddyPress & BuddyBoss Alternatives

BuddyTask

BuddyTask

buddytask

A
99

Adds KanBan like task management boards to Posts, Pages and BuddyPress Groups!

100 1 CVE
Sortable Dashboard To-Do List

Sortable Dashboard To-Do List

sortable-dashboard-to-do-list

A
100

Adds a sortable to-do list widget to your WP dashboard. Useful for developers, content writers, and team tasks. Easily assign tasks to other users.

90 No CVEs
Simple Todo List

Simple Todo List

simple-todo-list

A
85

The missing todo list dashboard widget for WordPress.

10 No CVEs
Todo by Aavoya

Todo by Aavoya

todo-by-aavoya

A
85

A Simple plugin to manage small projects or can be used as todo list.

0 No CVEs
Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

A
88

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs
Developer Profile

Todo for BuddyPress & BuddyBoss Developer Profile

wbcomdesigns

19 plugins · 10K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
807 days
View full developer profile
Detection Fingerprints

How We Detect Todo for BuddyPress & BuddyBoss

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bp-user-to-do-list/css/main.css/wp-content/plugins/bp-user-to-do-list/js/bptodo.js/wp-content/plugins/bp-user-to-do-list/js/bptodo-admin.js/wp-content/plugins/bp-user-to-do-list/css/bptodo-admin.css/wp-content/plugins/bp-user-to-do-list/js/bp-todo-list-frontend.js/wp-content/plugins/bp-user-to-do-list/css/bp-todo-list-frontend.css
Script Paths
/wp-content/plugins/bp-user-to-do-list/js/bptodo.js/wp-content/plugins/bp-user-to-do-list/js/bptodo-admin.js/wp-content/plugins/bp-user-to-do-list/js/bp-todo-list-frontend.js
Version Parameters
bp-user-to-do-list/css/main.css?ver=bp-user-to-do-list/js/bptodo.js?ver=bp-user-to-do-list/js/bptodo-admin.js?ver=bp-user-to-do-list/css/bptodo-admin.css?ver=bp-user-to-do-list/js/bp-todo-list-frontend.js?ver=bp-user-to-do-list/css/bp-todo-list-frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes
bp-todo-list-wrapperbptodo-user-list-wrapperbptodo-add-task-formbptodo-task-itembptodo-task-actionsbptodo-task-titlebptodo-task-descriptionbptodo-task-due-date+6 more
HTML Comments
<!-- Start: BP User ToDo List Plugin --><!-- End: BP User ToDo List Plugin -->
Data Attributes
data-bptodo-task-iddata-bptodo-user-id
JS Globals
bptodo_ajax_objectbptodo_varsbp_todo_list_frontend
REST Endpoints
/wp-json/bptodo/v1/tasks/wp-json/bptodo/v1/tasks/(?P<id>\d+)/wp-json/bptodo/v1/users/wp-json/bptodo/v1/settings
Shortcode Output
[bp_user_todo_list][bp_todo_list_widget]
FAQ

Frequently Asked Questions about Todo for BuddyPress & BuddyBoss