WP-Safety

BuddyKit – Additional features for BuddyPress Security & Risk Analysis

wordpress.org/plugins/buddykit

BuddyKit adds several features like Live Notifications and Media Activities to your BuddyPress powered websites.

100 active installs v0.0.4 PHP 5.4+ WP 4.5+ Updated Sep 8, 2019
activity-streamsbuddypresscommunitysocial-networking
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BuddyKit – Additional features for BuddyPress Safe to Use in 2026?

Generally Safe

Score 85/100

BuddyKit – Additional features for BuddyPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago
Risk Assessment

The "buddykit" v0.0.4 plugin presents a significant security risk primarily due to its large, unprotected attack surface. While the code exhibits some good practices, such as 100% use of prepared statements for SQL queries and a high percentage of output escaping, the critical flaw lies in the complete absence of authentication and authorization checks on all identified entry points. The 5 REST API routes and the total of 5 unprotected entry points mean that any unauthenticated user can potentially interact with and manipulate these plugin functionalities, leading to unauthorized actions or information disclosure.

The static analysis reveals no dangerous functions, no taint flows with unsanitized paths, and a clean vulnerability history with no known CVEs. This suggests that the core code itself may be relatively secure from common injection or code execution vulnerabilities, and there's no historical baggage of unpatched issues. However, the lack of capability checks (only 3 found) and nonces on the entry points severely undermines this potential. The absence of these fundamental security controls is a major concern, creating an open door for attackers.

In conclusion, the "buddykit" plugin has some positive security attributes, particularly in its handling of database queries and output sanitization. Nevertheless, the overwhelming lack of security controls on its entry points, especially the REST API routes, makes it highly vulnerable. The absence of any known historical vulnerabilities is a positive sign, but it does not mitigate the current, evident risks introduced by the unprotected attack surface. This plugin should be considered high-risk until these critical access control issues are addressed.

Key Concerns

  • Unprotected REST API routes
  • No nonce checks
  • Limited capability checks
  • High number of unprotected entry points
Vulnerabilities
None known

BuddyKit – Additional features for BuddyPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

BuddyKit – Additional features for BuddyPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
20 prepared
Unescaped Output
5
103 escaped
Nonce Checks
0
Capability Checks
3
File Operations
6
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared20 total queries

Output Escaping

95% escaped108 total outputs
Attack Surface
5 unprotected

BuddyKit – Additional features for BuddyPress Attack Surface

Entry Points5
Unprotected5

REST API Routes 5

POST/wp-json/buddykit/v1/uploadsrc\includes\media\class-media.php:61
DELETE/wp-json/buddykit/v1/delete/(?P<id>\d+)src\includes\media\class-media.php:67
GET/wp-json/buddykit/v1/user-temporary-mediasrc\includes\media\class-media.php:78
DELETE/wp-json/buddykit/v1/user-temporary-media-delete/(?P<id>\d+)src\includes\media\class-media.php:84
DELETE/wp-json/buddykit/v1/user-temporary-flush/(?P<id>\d+)src\includes\media\class-media.php:95
WordPress Hooks 17
actionadmin_initsrc\includes\media\admin-options\admin-options.php:6
actionadmin_menusrc\includes\media\admin-options\admin-options.php:8
filterupload_dirsrc\includes\media\class-file-attachment.php:41
filterwp_handle_upload_prefiltersrc\includes\media\class-file-attachment.php:44
actionwp_enqueue_scriptssrc\includes\media\class-media.php:15
actionwp_footersrc\includes\media\class-media.php:18
filterbp_activity_after_savesrc\includes\media\class-media.php:21
actionbp_activity_after_savesrc\includes\media\class-media.php:24
actionbp_activity_entry_contentsrc\includes\media\class-media.php:27
actionrest_api_initsrc\includes\media\class-media.php:58
actionbp_setup_navsrc\includes\media\profile-tabs\profile-tabs.php:10
actionbp_template_titlesrc\includes\media\profile-tabs\profile-tabs.php:28
actionbp_template_contentsrc\includes\media\profile-tabs\profile-tabs.php:29
actionwp_enqueue_scriptssrc\includes\real-time-notifications\real-time-notifications.php:17
actionbp_notification_after_savesrc\includes\real-time-notifications\real-time-notifications.php:19
actionbuddykit_settings_tab_fieldssrc\includes\real-time-notifications\real-time-notifications.php:156
actionplugins_loadedsrc\install.php:20
Maintenance & Trust

BuddyKit – Additional features for BuddyPress Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedSep 8, 2019
PHP min version5.4
Downloads13K

Community Trust

Rating100/100
Number of ratings1
Active installs100
Alternatives

BuddyKit – Additional features for BuddyPress Alternatives

BuddyPress Elevator Pitch – Enhanced Member Cards

BuddyPress Elevator Pitch – Enhanced Member Cards

bp-group-members-data

A
100

Choose which fields appear on the "member cards" on member list pages, such as Groups.

20 No CVEs
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

youzify

D
47

The best BuddyPress plugin for building online communities, user profile, social networks, and membership sites on WordPress with tons of features.

6K 1 unpatched
BuddyPress Builder for Elementor – BuddyBuilder

BuddyPress Builder for Elementor – BuddyBuilder

stax-buddy-builder

A
98

BuddyPress builder for Elementor — design member profiles, group pages, activity feeds and directories with drag & drop.

1K 3 CVEs
BuddyPress Edit Activity

BuddyPress Edit Activity

buddypress-edit-activity

A
85

BuddyPress Edit Activity allows your members to edit their activity posts on the front-end of your BuddyPress-powered site.

900 No CVEs
RumbleTalk Live Group Chat – HTML5

RumbleTalk Live Group Chat – HTML5

rumbletalk-chat-a-chat-with-themes

A
96

Live group chat plugin for WordPress. Integrate it into your website in minutes. Create one or multiple rooms effortlessly.

800 3 CVEs
Developer Profile

BuddyKit – Additional features for BuddyPress Developer Profile

Joseph G.

6 plugins · 5K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect BuddyKit – Additional features for BuddyPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/buddykit/src/public/js/buddykit-script.js/wp-content/plugins/buddykit/src/public/css/buddykit-style.css
Script Paths
/wp-content/plugins/buddykit/src/public/js/buddykit-script.js
Version Parameters
buddykit-script.js?ver=buddykit-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
buddykit-activity-media-wrapper
HTML Comments
<!-- HTML Templates -->
Data Attributes
data-file-id
REST Endpoints
/buddykit/v1/upload/buddykit/v1/delete/(?P<id>\d+)/buddykit/v1/user-temporary-media/buddykit/v1/user-temporary-media-delete/(?P<id>\d+)/buddykit/v1/user-temporary-flush/(?P<id>\d+)
FAQ

Frequently Asked Questions about BuddyKit – Additional features for BuddyPress