Does BuddyPress Members Only have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is BuddyPress Members Only compatible with WordPress 6.8.5?

According to WordPress.org data, BuddyPress Members Only 3.6.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is BuddyPress Members Only updated?

BuddyPress Members Only was last updated on Nov 8, 2025. Frequent updates are generally a positive security signal.

What is BuddyPress Members Only's security score?

BuddyPress Members Only has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

BuddyPress Members Only Security & Risk Analysis

wordpress.org/plugins/buddypress-members-only

BuddyPress Members Only restricts Your Buddypress and Wordpress to logged in/registered members.

1K active installs v3.6.3 PHP + WP 3.8+ Updated Nov 8, 2025

buddypressmembershipprivateprotectedrestricts

A · Safe

CVEs total2

Unpatched0

Last CVEApr 1, 2025

Plugin page Download

Safety Verdict

Is BuddyPress Members Only Safe to Use in 2026?

Generally Safe

Score 99/100

BuddyPress Members Only has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Apr 1, 2025Updated 6mo ago

Risk Assessment

The "buddypress-members-only" plugin v3.6.3 exhibits a mixed security posture. While the static analysis indicates a relatively small attack surface and the absence of critical or high-severity issues in taint analysis, there are notable areas for improvement. The limited output escaping (62% properly escaped) presents a potential risk for Cross-Site Scripting (XSS) vulnerabilities, especially as this has been a common vulnerability type in the plugin's history.

The plugin's vulnerability history, with two known medium-severity CVEs related to XSS and improper access control, suggests a pattern of past security weaknesses. Although currently unpatched vulnerabilities are zero, the historical trend warrants caution. The presence of nonce checks and capability checks is positive, but the potential for unescaped output remains a concern given past issues.

In conclusion, the plugin has strengths in its limited entry points and lack of raw SQL queries. However, the historical medium-severity vulnerabilities, particularly those related to XSS, coupled with a significant percentage of unescaped output, indicate an ongoing need for vigilance and code review to ensure robust security.

Key Concerns

Significant unescaped output detected
Historical medium vulnerabilities (XSS, Access Control)

Vulnerabilities

2 published

BuddyPress Members Only Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-31812medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BuddyPress Members Only <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 1, 2025 Patched in 3.6.3 (224d)

CVE-2024-0972medium · 5.3Improper Access Control

BuddyPress Members Only <= 3.4.8 - Improper Access Control to Sensitive Information Exposure via REST API

Jun 5, 2024 Patched in 4.4.9 (65d)

Version History

BuddyPress Members Only Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

BuddyPress Members Only Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

101 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

62% escaped162 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

9 flows

buddypress_members_only_setting (buddypress-members-only.php:82)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

BuddyPress Members Only Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[restriction] rules\shortcoderestriction.php:48

WordPress Hooks 25

actionadmin_menubuddypress-members-only.php:54

actionplugins_loadedbuddypress-members-only.php:57

actionwpbuddypress-members-only.php:948

actionwp_headbuddypress-members-only.php:950

filterlogin_redirectbuddypress-members-only.php:1022

filterbp_login_redirectbuddypress-members-only.php:1023

actionadmin_headbuddypress-members-only.php:1047

actionadd_meta_boxesbuddypress-members-only.php:1052

actionsave_postbuddypress-members-only.php:1053

actionadmin_noticesbuddypress-members-only.php:1150

filterbp_activity_enable_feedsrules\activityrssrestrict.php:21

actioninitrules\bpmoinit.php:46

filterembed_oembed_discoverrules\rest.php:21

filterjson_enabledrules\rest.php:26

filterjson_jsonp_enabledrules\rest.php:28

filterrest_enabledrules\rest.php:30

filterrest_jsonp_enabledrules\rest.php:32

filterrest_authentication_errorsrules\rest.php:34

actiondo_feedrules\restrictwordpressrss.php:45

actiondo_feed_rdfrules\restrictwordpressrss.php:46

actiondo_feed_rssrules\restrictwordpressrss.php:47

actiondo_feed_rss2rules\restrictwordpressrss.php:48

actiondo_feed_atomrules\restrictwordpressrss.php:49

actiondo_feed_rss2-commentsrules\restrictwordpressrss.php:50

actiondo_feed_atom-commentsrules\restrictwordpressrss.php:51

Maintenance & Trust

BuddyPress Members Only Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 8, 2025

PHP min version

Downloads120K

Community Trust

Rating74/100

Number of ratings26

Active installs1K

Alternatives

BuddyPress Members Only Alternatives

BuddyPress Members Only

ssl-for-buddypress

BuddyPress Members Only restricts Your Buddypress and Wordpress to logged in/registered members.

0 No CVEs

BP Custom Functionalities

bp-custom-functionalities

BP Custom Functionalities provides custom functionalities that regular BuddyPress users requires.

10 No CVEs

Force Login

wp-force-login

Force Login is a simple lightweight plugin that requires visitors to log in to interact with the website.

30K No CVEs

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

youzify

The best BuddyPress plugin for building online communities, user profile, social networks, and membership sites on WordPress with tons of features.

6K 1 unpatched

Developer Profile

BuddyPress Members Only Developer Profile

Tomas

12 plugins · 7K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

526 days

View full developer profile

Detection Fingerprints

How We Detect BuddyPress Members Only

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/buddypress-members-only/admin/js/admin.js/wp-content/plugins/buddypress-members-only/admin/css/admin.css

Version Parameters

buddypress-members-only/admin/js/admin.js?ver=buddypress-members-only/admin/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

bp-members-only-notice

HTML Comments

!!! start 3.4.9!!! end 3.4.9!!! before 3.4.9!!!start+1 more

Data Attributes

data-bpmo-nonce

JS Globals

bpmo_admin_ajax_urlbpmo_admin_ajax_nonce

REST Endpoints

/wp-json/bpmo/v1/settings

FAQ