Buddypress Friend of a Friend (FOAF) Security & Risk Analysis
wordpress.org/plugins/buddypress-foafThis plugin includes a new block inside each user profile page and includes a "Friend of a Friend (FOAF)" display.
Is Buddypress Friend of a Friend (FOAF) Safe to Use in 2026?
Generally Safe
Score 85/100Buddypress Friend of a Friend (FOAF) has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "buddypress-foaf" plugin v2.7 exhibits a mixed security posture. On the positive side, there are no known CVEs, no dangerous functions identified, and the plugin does not make external HTTP requests or perform file operations, which generally reduces its attack surface. The presence of 0 unprotected AJAX handlers and 0 REST API routes without permission callbacks is also a strong indicator of good security practices in those areas.
However, several critical concerns emerge from the static analysis. The most significant is the complete lack of output escaping, meaning that user-supplied data displayed on the frontend could be vulnerable to Cross-Site Scripting (XSS) attacks. Additionally, a substantial portion (60%) of SQL queries are not using prepared statements, which presents a risk of SQL injection vulnerabilities. The absence of nonce checks and capability checks, particularly in conjunction with the shortcode entry point, further elevates these risks by potentially allowing unauthorized actions or data manipulation if the shortcode's output is not properly handled.
Given the absence of recorded vulnerabilities, it's possible that the risks identified in the static analysis have not yet been exploited, or that the specific implementation details of the shortcode mitigate some of these risks in practice. However, the lack of output escaping and the presence of non-prepared SQL queries represent fundamental security weaknesses that should be addressed to prevent future exploits.
Key Concerns
- 0% output escaping
- 40% SQL queries not prepared
- 0 Nonce checks
- 0 Capability checks
Buddypress Friend of a Friend (FOAF) Security Vulnerabilities
Buddypress Friend of a Friend (FOAF) Code Analysis
SQL Query Safety
Output Escaping
Buddypress Friend of a Friend (FOAF) Attack Surface
Shortcodes 1
WordPress Hooks 3
Maintenance & Trust
Buddypress Friend of a Friend (FOAF) Maintenance & Trust
Maintenance Signals
Community Trust
Buddypress Friend of a Friend (FOAF) Alternatives
BuddyPress Extended Friendship Request
buddypress-extended-friendship-request
BuddyPress Extended Friendship Request plugin allows users to send a personalized message with the friendship requests.
Mutual Buddies
mutual-buddies
Mutual buddies displays BuddyPress mutual friends of the logged in user & the user whose profile the user is looking at on the Profile page.
BP Mutual Friends
bp-mutual-friends
List users' mutual friends in BuddyPress easily. One click install and setup.
Buddypress Friends
buddypress-friends
This plugin adds a widget to Buddypress that displays the friends for the current user that is logged in.
Personalized Activity for Buddypress – Friends, Following, Admin
personalized-activity-for-buddypress-frfwa
Makes Buddypress Activity Personalized For Users, by Including Activity Feeds Only From Users They Are Friends With, Users They Are Following And Administrator of Your Community.
Buddypress Friend of a Friend (FOAF) Developer Profile
5 plugins · 290 total installs
How We Detect Buddypress Friend of a Friend (FOAF)
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/buddypress-foaf/css/bpfoaf.css/wp-content/plugins/buddypress-foaf/js/bpfoaf.js/wp-content/plugins/buddypress-foaf/js/bpfoaf.jsbuddypress-foaf/css/bpfoaf.css?ver=buddypress-foaf/js/bpfoaf.js?ver=HTML / DOM Fingerprints
bpfoaf[buddypressfoaf_show_potential_friends]