WP-Safety

BuddyPress Sticker Security & Risk Analysis

wordpress.org/plugins/buddypress-sticker

BuddyPress stickers Allow Users to add stickers in activity posts and message by clicking on icons

30 active installs v1.4 PHP + WP 3.8+ Updated Jun 5, 2016
activitybuddypressmessagesticker
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BuddyPress Sticker Safe to Use in 2026?

Generally Safe

Score 85/100

BuddyPress Sticker has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The "buddypress-sticker" v1.4 plugin presents a mixed security posture. On the positive side, the absence of recorded vulnerabilities and the exclusive use of prepared statements for SQL queries are strong indicators of past good security practices and careful development. The plugin also avoids dangerous functions, file operations, and external HTTP requests, further minimizing its attack surface in these areas.

However, the static analysis reveals significant concerns. The plugin exposes two AJAX handlers, both of which lack authentication checks. This is a critical vulnerability that could allow unauthenticated users to execute arbitrary actions through these handlers. Furthermore, the output escaping is entirely absent, meaning any data processed and displayed by the plugin is vulnerable to Cross-Site Scripting (XSS) attacks. The lack of nonce checks and capability checks on the identified entry points exacerbates these risks, as it provides no protection against CSRF or unauthorized privilege escalation.

In conclusion, while the plugin has a clean vulnerability history and handles SQL securely, the identified security flaws in its AJAX handlers and output escaping are severe. The complete lack of authentication and proper sanitization on its entry points creates a substantial risk of unauthorized access and XSS vulnerabilities. These issues require immediate attention to secure the plugin.

Key Concerns

  • AJAX handlers without authentication checks
  • Output escaping completely absent
  • No nonce checks on entry points
  • No capability checks on entry points
Vulnerabilities
None known

BuddyPress Sticker Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

BuddyPress Sticker Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped3 total outputs
Attack Surface
2 unprotected

BuddyPress Sticker Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_bp_sticker_ajaxbp-sticker.php:37
noprivwp_ajax_bp_sticker_ajaxbp-sticker.php:38
WordPress Hooks 14
actionwp_enqueue_scriptsbp-sticker.php:31
actionwp_print_stylesbp-sticker.php:32
actionbp_before_activity_post_formbp-sticker.php:33
actionbp_activity_entry_commentsbp-sticker.php:34
actionbp_after_messages_compose_contentbp-sticker.php:35
actionbp_after_message_reply_boxbp-sticker.php:36
filterbp_get_activity_latest_updatebp-sticker.php:39
filterbp_get_activity_latest_update_excerptbp-sticker.php:40
filterbp_get_activity_content_bodybp-sticker.php:41
filterbp_get_activity_actionbp-sticker.php:42
filterbp_get_activity_contentbp-sticker.php:43
filterbp_get_activity_parent_contentbp-sticker.php:44
filterbp_get_the_thread_message_contentbp-sticker.php:45
filterbp_get_message_thread_excerptbp-sticker.php:46
Maintenance & Trust

BuddyPress Sticker Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33
Last updatedJun 5, 2016
PHP min version
Downloads10K

Community Trust

Rating92/100
Number of ratings10
Active installs30
Alternatives

BuddyPress Sticker Alternatives

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

A
88

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs
BuddyPress Activity Shortcode

BuddyPress Activity Shortcode

bp-activity-shortcode

A
99

BuddyPress Activity shortcode plugin allows you to insert BuddyPress activity stream on any page/post using shortcode.

2K 1 CVE
Activity Plus Reloaded for BuddyPress

Activity Plus Reloaded for BuddyPress

bp-activity-plus-reloaded

D
46

Note: This plugin will be discontinued by March 31st, 2025 in favor of BuddyPress Attachment plugin. Please migrate to the new plugin before that date …

1K 2 unpatched
BuddyPress Group Email Subscription

BuddyPress Group Email Subscription

buddypress-group-email-subscription

A
92

This powerful plugin allows users to receive email notifications of group activity. Weekly or daily digests are available.

1K No CVEs
BuddyPress Edit Activity

BuddyPress Edit Activity

buddypress-edit-activity

A
85

BuddyPress Edit Activity allows your members to edit their activity posts on the front-end of your BuddyPress-powered site.

900 No CVEs
Developer Profile

BuddyPress Sticker Developer Profile

aghajoon

4 plugins · 60 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect BuddyPress Sticker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/buddypress-sticker/css/bp-sticker.css/wp-content/plugins/buddypress-sticker/js/bp-sticker.js
Script Paths
/wp-content/plugins/buddypress-sticker/js/bp-sticker.js
Version Parameters
buddypress-sticker/css/bp-sticker.css?ver=

HTML / DOM Fingerprints

CSS Classes
bp-smiley-buttonbuddypress-smiley-buttonbp-smiley-nobp-smiley-button-commentbp-smiley-no-commentdivstibpsmileyst-smiley
Data Attributes
data-code
FAQ

Frequently Asked Questions about BuddyPress Sticker