Does BuddyPress Follow have any unpatched vulnerabilities?

No. All known vulnerabilities in BuddyPress Follow have been patched as of the latest data update. Always keep the plugin updated to the latest version.

How often is BuddyPress Follow updated?

BuddyPress Follow was last updated on Nov 28, 2017. Frequent updates are generally a positive security signal.

What is BuddyPress Follow's security score?

BuddyPress Follow has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

BuddyPress Follow Security & Risk Analysis

wordpress.org/plugins/buddypress-followers

Follow members on your BuddyPress site with this nifty plugin.

1K active installs v1.2.2 PHP + WP + Updated Nov 28, 2017

buddypressconnectionsfollowersfollowing

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is BuddyPress Follow Safe to Use in 2026?

Generally Safe

Score 85/100

BuddyPress Follow has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago

Risk Assessment

The Buddypress-Followers v1.2.2 plugin exhibits a generally good security posture with several strong practices in place. Notably, all SQL queries are performed using prepared statements, and there are no known CVEs associated with this plugin, indicating a history of responsible development and maintenance. The attack surface is relatively small and appears to be protected by nonce checks where necessary, further enhancing its security.

However, there are a few areas of concern. The presence of the `create_function` is a significant security risk, as this function is deprecated and can lead to serious vulnerabilities if used with user-supplied input. Furthermore, only 33% of output escaping is properly handled, suggesting a potential for cross-site scripting (XSS) vulnerabilities in the remaining two-thirds of outputs. The lack of capability checks on the AJAX handlers, despite nonce checks being present, could still allow unauthenticated users to trigger certain actions if the AJAX endpoints are not adequately protected by WordPress's user role management.

In conclusion, while the plugin has a clean vulnerability history and utilizes secure database practices, the use of `create_function` and the suboptimal output escaping represent notable weaknesses that require immediate attention. Addressing these specific code-level issues would significantly improve the plugin's overall security.

Key Concerns

Dangerous function create_function used
Low percentage of properly escaped output
Missing capability checks on AJAX handlers

Vulnerabilities

None known

BuddyPress Follow Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

BuddyPress Follow Code Analysis

Dangerous Functions

Raw SQL Queries

20 prepared

Unescaped Output

9 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_action( 'admin_notices', create_function( '', "loader.php:40

create_functionadd_action( 'bp_template_content', create_function( '', "_inc\bp-follow-screens.php:124

create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("BP_Follow_Following_Widget_inc\bp-follow-widgets.php:113

SQL Query Safety

100% prepared20 total queries

Output Escaping

33% escaped27 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

bp_follow_ajax_action_start (_inc\bp-follow-actions.php:138)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

BuddyPress Follow Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_bp_follow_inc\bp-follow-actions.php:178

authwp_ajax_bp_unfollow_inc\bp-follow-actions.php:229

WordPress Hooks 46

actionwp_enqueue_scriptsbp-follow-core.php:130

actionbp_adminbar_menusbp-follow-core.php:185

actionbp_loadedbp-follow-core.php:349

actionadmin_noticesloader.php:40

actionbp_includeloader.php:47

actionplugins_loadedloader.php:102

actionbp_actions_inc\bp-follow-actions.php:49

actionbp_actions_inc\bp-follow-actions.php:88

actionbp_actions_inc\bp-follow-actions.php:127

filterbp_template_stack_inc\bp-follow-backpat.php:123

filterbp_get_template_stack_inc\bp-follow-backpat.php:173

actionwpmu_delete_user_inc\bp-follow-functions.php:202

actiondelete_user_inc\bp-follow-functions.php:203

actionmake_spam_user_inc\bp-follow-functions.php:204

filterbp_has_members_inc\bp-follow-hooks.php:68

filterbp_group_has_members_inc\bp-follow-hooks.php:121

actionbp_member_header_actions_inc\bp-follow-hooks.php:140

actionbp_directory_members_actions_inc\bp-follow-hooks.php:158

actionbp_group_members_list_item_action_inc\bp-follow-hooks.php:178

actionbp_before_activity_type_tab_friends_inc\bp-follow-hooks.php:200

actionbp_members_directory_member_types_inc\bp-follow-hooks.php:223

filterbp_dtheme_ajax_querystring_inc\bp-follow-hooks.php:255

filterbp_legacy_theme_ajax_querystring_inc\bp-follow-hooks.php:256

filterbp_dtheme_ajax_querystring_inc\bp-follow-hooks.php:276

filterbp_legacy_theme_ajax_querystring_inc\bp-follow-hooks.php:277

filterbp_ajax_querystring_inc\bp-follow-hooks.php:346

actionbp_activity_screen_following_inc\bp-follow-hooks.php:368

actionbp_before_activity_loop_inc\bp-follow-hooks.php:401

filterbp_get_sitewide_activity_feed_link_inc\bp-follow-hooks.php:438

filterbp_dtheme_activity_feed_url_inc\bp-follow-hooks.php:439

filterbp_legacy_theme_activity_feed_url_inc\bp-follow-hooks.php:440

filtergettext_inc\bp-follow-hooks.php:457

filterbp_has_activities_inc\bp-follow-hooks.php:462

actionbp_after_activity_loop_inc\bp-follow-hooks.php:518

actionbp_follow_remove_data_inc\bp-follow-notifications.php:86

actionbp_follow_start_following_inc\bp-follow-notifications.php:125

actionbp_follow_stop_following_inc\bp-follow-notifications.php:146

actionbp_members_screen_display_profile_inc\bp-follow-notifications.php:172

actionbp_follow_screen_followers_inc\bp-follow-notifications.php:210

filterbp_follow_new_followers_notification_inc\bp-follow-notifications.php:235

actionbp_notification_settings_inc\bp-follow-notifications.php:272

actionbp_member_plugin_options_nav_inc\bp-follow-screens.php:115

actionbp_after_member_plugin_template_inc\bp-follow-screens.php:118

actionbp_template_content_inc\bp-follow-screens.php:124

filterbp_located_template_inc\bp-follow-screens.php:131

actionwidgets_init_inc\bp-follow-widgets.php:113

Maintenance & Trust

BuddyPress Follow Maintenance & Trust

Maintenance Signals

WordPress version tested

Last updatedNov 28, 2017

PHP min version

Downloads76K

Community Trust

Rating86/100

Number of ratings15

Active installs1K

Alternatives

BuddyPress Follow Alternatives

BuddyPress FollowMe

buddypress-follow-me

100

Buddypress Follow Me is fork of BuddyPress Follow plugin (http://wordpress.org/extend/plugins/buddypress-followers/). buddypress-followers is now upda …

10 No CVEs

bbP Follow Users

bbp-follow-users

This simple plugin allows users to follow other members on bbPress . The users can view the latest posts and replies from their followed users in a wi …

10 No CVEs

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs

Posts 2 Posts

posts-to-posts

100

Efficient many-to-many connections between posts, pages, custom post types, users.

10K No CVEs

rtMedia for WordPress, BuddyPress and bbPress

buddypress-media

Add albums, photo, audio/video upload, privacy, sharing, front-end uploads & more. All this works on mobile/tablets devices.

8K 12 CVEs

Developer Profile

BuddyPress Follow Developer Profile

Andy Peatling

3 plugins · 1K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect BuddyPress Follow

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/buddypress-followers/_inc/css/bp-follow.css/wp-content/plugins/buddypress-followers/_inc/js/bp-follow.js

Script Paths

/wp-content/plugins/buddypress-followers/_inc/js/bp-follow.js

Version Parameters

buddypress-followers/bp-follow-core.php?ver=buddypress-followers/_inc/css/bp-follow.css?ver=buddypress-followers/_inc/js/bp-follow.js?ver=

HTML / DOM Fingerprints

CSS Classes

bp-follow-buttonbp-follow-countfollow-button-wrapper

HTML Comments

<!-- If no logged in user and not on a member profile, do not show the follow button.<!-- If the user is not logged in, do not show the follow button.<!-- Show the follow button if the user is logged in, and if they are not viewing their own profile.<!-- If the user is logged in and they are viewing their own profile, do not show the follow button.

Data Attributes

data-bp-follow-iddata-bp-follow-noncedata-bp-follow-text-followdata-bp-follow-text-unfollow

JS Globals

bp_follow_ajax_urlbp_follow_nonce

FAQ