[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fT27ZCpXw0x9ROlXj-1yBZzi1vkRTJXDfneuBelzS4uM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":48,"crawl_stats":38,"alternatives":52,"analysis":154,"fingerprints":297},"buddypress-xprofile-image-field","BuddyPress XProfile Custom Image Field","3.1.0","Alex Githatu","https:\u002F\u002Fprofiles.wordpress.org\u002Fkalengi\u002F","\u003Cp>The BuddyPress XProfile module does not support Image type fields. The BuddyPress XProfile Custom Image Field (BPXPIF) plugin allows you to add fields of type Image to a BuddyPress user profile.\u003C\u002Fp>\n\u003Cp>Images uploaded during User Registration can be viewed on the Manage Signups screen to allow the Site Administrator to review them before activating a new user account.\u003C\u002Fp>\n\u003Cp>The BPXPIF plugin has a number of action hooks that allow theme and plugin developers to modify its behavior.\u003C\u002Fp>\n\u003Cp>This plugin requires BuddyPress minimum version 1.5 and has been tested up to BuddyPress version 14.4.0\u003C\u002Fp>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>English – default\u003C\u002Fli>\n\u003Cli>Spanish translation by \u003Ca href=\"http:\u002F\u002Fwww.webhostinghub.com\u002F\" rel=\"nofollow ugc\">Andrew Kurtis – WebHostingHub\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","With the BPXPIF plugin you can add XProfile fields of type Image without writing any custom code.",300,21110,96,6,"2026-01-08T18:15:00.000Z","6.9.4","3.2.1","",[20,21,22,23,24],"buddypress","field","image","image-field","xprofile","https:\u002F\u002Falextheafrican.wordpress.com\u002F2012\u002F03\u002F10\u002Fhow-to-add-an-image-field-to-buddypress-extended-profile-fields\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbuddypress-xprofile-image-field.3.1.0.zip",95,1,0,"2025-07-31 00:00:00","2026-03-15T15:16:48.613Z",[33],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":6,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":30,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2025-48158","buddypress-xprofile-custom-image-field-unauthenticated-arbitrary-file-deletion","BuddyPress XProfile Custom Image Field \u003C= 3.0.1 - Unauthenticated Arbitrary File Deletion","The BuddyPress XProfile Custom Image Field plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.0.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",null,"\u003C=3.0.1","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2025-08-04 20:14:59",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6c8720bc-7431-416a-8da3-62c49e2f2afd?source=api-prod",5,{"slug":49,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":47,"trust_score":50,"computed_at":51},"kalengi",97,"2026-04-04T00:44:03.072Z",[53,74,94,116,134],{"slug":54,"name":55,"version":56,"author":57,"author_profile":58,"description":59,"short_description":60,"active_installs":61,"downloaded":62,"rating":63,"num_ratings":64,"last_updated":65,"tested_up_to":16,"requires_at_least":66,"requires_php":67,"tags":68,"homepage":71,"download_link":72,"security_score":50,"vuln_count":28,"unpatched_count":29,"last_vuln_date":73,"fetched_at":31},"bp-xprofile-custom-field-types","BuddyPress Xprofile Custom Field Types","1.3.0","BuddyDev","https:\u002F\u002Fprofiles.wordpress.org\u002Fbuddydev\u002F","\u003Cp>BuddyPress Xprofile Custom Field Types plugin adds some essential field types to BuddyPress Profile.\u003C\u002Fp>\n\u003Cp>The newly added BuddyPress field types are:-\u003Cbr \u002F>\n* Birthdate.\u003Cbr \u002F>\n* Image.\u003Cbr \u002F>\n* File.\u003Cbr \u002F>\n* Checkbox acceptance.\u003Cbr \u002F>\n* Country field.\u003Cbr \u002F>\n* From\u002FTo field(can be used to show 2 numbers or text strings).\u003Cbr \u002F>\n* Token (can be used to set a list of predefined approved codes for registration etc).\u003Cbr \u002F>\n* oEmbed ( allow your users to use youtube\u002Ffacebook, vimeo and other oembed supporting urls to embed in their profile).\u003Cbr \u002F>\n* \u003Ca href=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002Fhtml-markup\u002Finput.email.html\" title=\"Input type email - HTML5\" rel=\"nofollow ugc\">Email\u003C\u002Fa>.\u003Cbr \u002F>\n* \u003Ca href=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002Fhtml-markup\u002Finput.url.html\" title=\"Input type url - HTML5\" rel=\"nofollow ugc\">Web\u003C\u002Fa>.\u003Cbr \u002F>\n* \u003Ca href=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002F2013\u002FNOTE-html-markup-20130528\u002Finput.date.html\" title=\"Input type date - HTML5\" rel=\"nofollow ugc\">Datepicker\u003C\u002Fa>.\u003Cbr \u002F>\n* Custom post type selector.\u003Cbr \u002F>\n* Custom post type multiselector.\u003Cbr \u002F>\n* \u003Ca href=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002F2013\u002FNOTE-html-markup-20130528\u002Finput.color.html\" title=\"Input type color - HTML5\" rel=\"nofollow ugc\">Colorpicker\u003C\u002Fa>.\u003Cbr \u002F>\n* Decimal number.\u003Cbr \u002F>\n* Number within min\u002Fmax values.\u003Cbr \u002F>\n* Custom taxonomy selector.\u003Cbr \u002F>\n* Custom taxonomy multiselector.\u003Cbr \u002F>\n* Range input (slider)\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fselect2.github.io\u002F\" rel=\"nofollow ugc\">Select2 javascript plugin\u003C\u002Fa> for select boxes.\u003C\u002Fp>\n\u003Cp>BuddyPress Xprofile Custom Field Types is 100% compatible with \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbp-profile-search\u002F\" rel=\"ugc\">BP Profile Search plugin\u003C\u002Fa>.\u003Cbr \u002F>\nAt the moment, following fields are searchable using BP Profile Search:-\u003Cbr \u002F>\n* Birthdate\u003Cbr \u002F>\n* Datepicker\u003Cbr \u002F>\n* Color\u003Cbr \u002F>\n* Email\u003Cbr \u002F>\n* Web\u003Cbr \u002F>\n* Number Min\u002FMax\u003Cbr \u002F>\n* Range Input\u003Cbr \u002F>\n* Decimal Number\u003Cbr \u002F>\n* Country\u003Cbr \u002F>\nOther fields such as post type, taxonomy etc., are not searchable as they are stored in serialized format( due to back compatibility).\u003C\u002Fp>\n\u003Cp>The plugin is opensource and currently developed on github. We welcome you to be part of its future development at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbuddydev\u002Fbp-xprofile-custom-field-types\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fbuddydev\u002Fbp-xprofile-custom-field-types\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Discuss the plugin on our \u003Ca href=\"https:\u002F\u002Fbuddydev.com\u002Fadd-extra-buddypress-profile-fields-with-buddypress-xprofile-custom-field-types-plugin\u002F\" rel=\"nofollow ugc\">release post\u003C\u002Fa> or view the plugin’s \u003Ca href=\"https:\u002F\u002Fbuddydev.com\u002Fplugins\u002Fbp-xprofile-custom-field-types\u002F\" rel=\"nofollow ugc\">detailed documentation here\u003C\u002Fa>.\u003Cbr \u002F>\nThe idea is based on @donmik’s plugin. This plugin is a complete rewrite. Some field type do share code with the original plugin. My guess, we are using 20-30% of the code for field types from the original.\u003C\u002Fp>\n\u003Cp>In the future, we hope to add more fields.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: This plugin is not 100% backward compatible\u003C\u002Fstrong>\u003Cbr \u002F>\nIt is very easy to migrate. Should take less than 5 minute. If you are looking to move from the older plugin to this one, please read our \u003Ca href=\"https:\u002F\u002Fbuddydev.com\u002Fplugins\u002Fbp-xprofile-custom-field-types\u002F#migrate\" rel=\"nofollow ugc\">migration guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note 2: The Custom taxonomy field does not allow you to categorize users. They allow you to let users select some terms and display the terms on their profile.\u003Cbr \u002F>\n           It is not intended for classifying user\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>Credit\u003C\u002Fh4>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fdonmik.com\" rel=\"nofollow ugc\">@donmik\u003C\u002Fa> for the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdonmik\u002Fbuddypress-xprofile-custom-fields-type\" rel=\"nofollow ugc\">BuddyPress Xprofile Custom Fields Type\u003C\u002Fa> from where we adopted the field types in our first version.\u003Cbr \u002F>\n In the first version, te plugin brought all the profile fields offered by the currently abandoned The \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdonmik\u002Fbuddypress-xprofile-custom-fields-type\" rel=\"nofollow ugc\">“BuddyPress Xprofile Custom Fields Type”\u003C\u002Fa> plugin.\u003C\u002Fp>\n\u003Ch4>More Plugins\u003C\u002Fh4>\n\u003Cp>We love BuddyPress, and we have created 100+ BuddyPress plugins.\u003Cbr \u002F>\nPlease take a look at our\u003Cbr \u002F>\n 1. \u003Ca href=\"https:\u002F\u002Fbuddydev.com\u002Fplugins\u002F\" title=\"Best BuddyPress Plugins\" rel=\"nofollow ugc\">Free BuddyPress Plugins\u003C\u002Fa>\u003Cbr \u002F>\n 1. \u003Ca href=\"https:\u002F\u002Fbuddydev.com\u002Fplugins\u002Fcategory\u002Fbuddypress-premium-plugins\u002F\" title=\"Best BuddyPress Premium Plugins\" rel=\"nofollow ugc\">Premium BuddyPress plugins\u003C\u002Fa>\u003Cbr \u002F>\n We hope that it will help you take your BuddyPress network to the next level.\u003C\u002Fp>\n\u003Ch4>BuddyPress Custom development & Maintenance Service\u003C\u002Fh4>\n\u003Cp>If you need any assistance with setting up or adding new features to BuddyPress or this plugin, Our team is available for hire.\u003Cbr \u002F>\nPlease use our \u003Ca href=\"https:\u002F\u002Fbuddydev.com\u002Fbuddypress-custom-plugin-development-service\u002F\" rel=\"nofollow ugc\">BuddyPress Development Services\u003C\u002Fa> for any custom development needs.\u003C\u002Fp>\n","Buddypress Xprofile Custom Field Types adds extra custom profile fields to BuddyPress. Field types are: Birthdate, Email, Url etc.",4000,145742,98,16,"2026-01-01T14:23:00.000Z","5.0","5.3",[20,69,70,24],"buddypress-profile-field-types","fields","https:\u002F\u002Fbuddydev.com\u002Fplugins\u002Fbuddypress-xprofile-custom-field-types\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbp-xprofile-custom-field-types.1.3.0.zip","2026-01-05 16:27:40",{"slug":75,"name":76,"version":77,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":82,"downloaded":83,"rating":13,"num_ratings":84,"last_updated":85,"tested_up_to":86,"requires_at_least":87,"requires_php":18,"tags":88,"homepage":91,"download_link":92,"security_score":93,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"bp2wp-full-sync","BuddyPress to WordPress Full Sync","0.3.7","Sergio De Falco","https:\u002F\u002Fprofiles.wordpress.org\u002Fsgr33n\u002F","\u003Cp>BuddyPress to WordPress Full Sync lets BuddyPress xProfile fields to synchronize with WordPress user fields with a user interface completely fused inside the BuddyPress profile fields management.\u003C\u002Fp>\n\u003Ch4>Let us know you care about this plugin\u003C\u002Fh4>\n\u003Cp>Please let us know how much you care about BuddyPress to WordPress Full Sync Plugin development rating it (5 stars).\u003C\u002Fp>\n","BuddyPress to WordPress Full Sync lets BuddyPress xProfile fields to synchronize with WordPress user fields",200,16106,12,"2021-06-16T08:01:00.000Z","5.7.15","4.0",[20,70,89,90,24],"profile","users","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbp2wp-full-sync\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbp2wp-full-sync.0.3.7.zip",85,{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":29,"num_ratings":29,"last_updated":104,"tested_up_to":105,"requires_at_least":106,"requires_php":107,"tags":108,"homepage":114,"download_link":115,"security_score":102,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"acf-default-image-addon","Default Image Addon for ACF","1.5","Galaxy Weblinks","https:\u002F\u002Fprofiles.wordpress.org\u002Fgalaxyweblinks\u002F","\u003Cp>This plugin provides an option to add a default image in the backend option for the ACF field type image. It will provide the default image in the result when the image field value is not set.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Important Note:\u003C\u002Fstrong> Default Image Addon for ACF is built on top of Advanced Custom Fields. This plugin requires ACF plugin to function. Make sure you have ACF installed and activated.\u003C\u002Fp>\n\u003Cp>Here’s a link to the documentation for the plugin. This will help you learn more about its features and how to use it.\u003Cbr \u002F>\n\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwp-plugins.galaxyweblinks.com\u002Fwp-plugins\u002Fdefault-image-addon-for-acf\u002Fdoc\u002F\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fstrong>\u003Cbr \u002F>\nFor any feedback or queries regarding this plugin, please contact our \u003Ca href=\"https:\u002F\u002Fwp-plugins.galaxyweblinks.com\u002Fcontact\u002F\" rel=\"nofollow ugc\">Support team\u003C\u002Fa>.\u003C\u002Fp>\n","This plugin provides the feature to add an option for the default image in the field type image.",100,3725,"2025-04-25T12:09:00.000Z","6.8.5","4.9","7.4",[109,110,111,112,113],"acf-default-image","acf-field-type-image","acf-image-field","default-image","default-image-addon-for-acf","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Facf-default-image-addon","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-default-image-addon.1.5.zip",{"slug":117,"name":118,"version":119,"author":120,"author_profile":121,"description":122,"short_description":123,"active_installs":124,"downloaded":125,"rating":124,"num_ratings":126,"last_updated":127,"tested_up_to":128,"requires_at_least":129,"requires_php":18,"tags":130,"homepage":132,"download_link":133,"security_score":93,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"buddypress-conditional-field-groups","BuddyPress Conditional Field Groups","0.1.0","Tanner Moushey","https:\u002F\u002Fprofiles.wordpress.org\u002Ftanner-m\u002F","\u003Cp>This is a simple plugin used to hide XProfile Field groups from different user types based on the user’s role. To hide a field group, go to Users -> Conditional Groups in the wp-admin and check appropriate box in the grid.\u003C\u002Fp>\n","Conditionally hide BuddyPress XProfile Field Groups based on user role.",80,5491,3,"2015-05-30T01:02:00.000Z","4.2.0","3.5.1",[20,131],"xprofile-fields","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbuddypress-conditional-field-groups.zip",{"slug":135,"name":136,"version":137,"author":138,"author_profile":139,"description":140,"short_description":141,"active_installs":142,"downloaded":143,"rating":144,"num_ratings":145,"last_updated":146,"tested_up_to":147,"requires_at_least":148,"requires_php":18,"tags":149,"homepage":152,"download_link":153,"security_score":93,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"bp-xprofile-rich-text-field","Buddypress xProfile Rich Text Field","0.2.5","Christian Wach","https:\u002F\u002Fprofiles.wordpress.org\u002Fneedle\u002F","\u003Cp>The Buddypress xProfile Rich Text Field plugin adds a Rich-text Editor custom field type to Extended Profiles in BuddyPress.\u003C\u002Fp>\n\u003Cp>Please note: this plugin is no longer required because its functionality has been implemented since BuddyPress 2.4. Having said that, if you already have data in xProfile fields of this type, you will need to keep this plugin active. See:\u003C\u002Fp>\n\u003Cp>https:\u002F\u002Fbuddypress.trac.wordpress.org\u002Fticket\u002F5625\u003C\u002Fp>\n\u003Cp>If you are using BuddyPress 2.0+ and your theme does not use compatibility mode (i.e it supplies its own BuddyPress template files) then you will have to update your theme’s \u003Ccode>members\u002Fsingle\u002Fprofile\u002Fedit.php\u003C\u002Fcode> and \u003Ccode>registration\u002Fregister.php\u003C\u002Fcode> (or \u003Ccode>members\u002Fregister.php\u003C\u002Fcode>) templates so that they match the new way of displaying xProfile fields. You can refer to the relevant BuddyPress files to see how that’s now being done. These are \u003Ccode>bp-templates\u002Fbp-legacy\u002Fbuddypress\u002Fmembers\u002Fsingle\u002Fprofile\u002Fedit.php\u003C\u002Fcode>\u003Cbr \u002F>\nand \u003Ccode>bp-templates\u002Fbp-legacy\u002Fbuddypress\u002Fmembers\u002Fregister.php\u003C\u002Fcode>.\u003C\u002Fp>\n","Buddypress xProfile Rich Text Field adds a Rich-text Editor custom field type to Extended Profiles in BuddyPress.",70,8067,90,4,"2016-03-11T13:34:00.000Z","4.4.34","3.5",[20,150,21,151,24],"editor","tinymce","http:\u002F\u002Fhaystack.co.uk","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbp-xprofile-rich-text-field.0.2.5.zip",{"attackSurface":155,"codeSignals":231,"taintFlows":286,"riskAssessment":287,"analyzedAt":296},{"hooks":156,"ajaxHandlers":227,"restRoutes":228,"shortcodes":229,"cronEvents":230,"entryPointCount":29,"unprotectedCount":29},[157,163,167,172,175,180,184,188,192,196,200,204,208,212,216,220,223],{"type":158,"name":159,"callback":160,"file":161,"line":162},"filter","xprofile_field_types","bpxp_image_field_add_field_type","bp-xprofile-image-field.php",57,{"type":158,"name":164,"callback":165,"file":161,"line":166},"xprofile_admin_field","bpxp_image_field_admin_render_field_type",60,{"type":168,"name":169,"callback":170,"file":161,"line":171},"action","bp_custom_profile_edit_fields","bpxp_image_field_edit_render_field",63,{"type":158,"name":173,"callback":160,"file":161,"line":174},"bp_xprofile_get_field_types",67,{"type":158,"name":176,"callback":177,"priority":178,"file":161,"line":179},"bp_get_the_profile_field_value","bpxp_image_field_frontend_render",10,73,{"type":168,"name":181,"callback":182,"priority":178,"file":161,"line":183},"bp_actions","bpxp_image_field_override_xprofile_screen_edit_profile",78,{"type":168,"name":185,"callback":186,"priority":178,"file":161,"line":187},"bp_signup_pre_validate","bpxp_image_field_pre_validation",81,{"type":168,"name":189,"callback":190,"priority":178,"file":161,"line":191},"bp_signup_validate","bpxp_image_field_post_validation",82,{"type":168,"name":193,"callback":194,"priority":178,"file":161,"line":195},"bp_core_signup_user","bpxp_image_field_save_on_signup",86,{"type":168,"name":197,"callback":198,"priority":178,"file":161,"line":199},"bp_core_activated_user","bpxp_image_field_update_on_user_activation",89,{"type":168,"name":201,"callback":202,"priority":203,"file":161,"line":13},"bp_members_admin_update_user","bpxp_image_field_save_on_admin_edit_profile",8,{"type":168,"name":205,"callback":206,"file":161,"line":207},"init","bpxp_image_field_l10n",109,{"type":168,"name":209,"callback":210,"file":161,"line":211},"bp_screens","bpxp_image_field_save_on_edit",279,{"type":158,"name":213,"callback":214,"priority":178,"file":161,"line":215},"upload_dir","bpxp_image_field_profile_upload_dir",593,{"type":168,"name":217,"callback":218,"file":161,"line":219},"all_admin_notices","bpxp_image_field_error_wordpress_version",699,{"type":168,"name":217,"callback":221,"file":161,"line":222},"bpxp_image_field_error_missing_xprofile",711,{"type":168,"name":224,"callback":225,"file":161,"line":226},"bp_xprofile_includes","bpxp_image_field_init",715,[],[],[],[],{"dangerousFunctions":232,"sqlUsage":233,"outputEscaping":236,"fileOperations":145,"externalRequests":29,"nonceChecks":234,"capabilityChecks":29,"bundledLibraries":285},[],{"prepared":234,"raw":29,"locations":235},2,[],{"escaped":29,"rawEcho":237,"locations":238},26,[239,242,244,245,247,248,249,251,252,254,255,257,258,260,262,264,267,269,271,273,275,276,278,279,281,283],{"file":161,"line":240,"context":241},169,"raw output",{"file":161,"line":243,"context":241},218,{"file":161,"line":243,"context":241},{"file":161,"line":246,"context":241},219,{"file":161,"line":246,"context":241},{"file":161,"line":246,"context":241},{"file":161,"line":250,"context":241},223,{"file":161,"line":250,"context":241},{"file":161,"line":253,"context":241},224,{"file":161,"line":253,"context":241},{"file":161,"line":256,"context":241},225,{"file":161,"line":256,"context":241},{"file":161,"line":259,"context":241},236,{"file":161,"line":261,"context":241},673,{"file":161,"line":263,"context":241},678,{"file":265,"line":266,"context":241},"classes\\class-bp-xprofile-field-type-image.php",127,{"file":265,"line":268,"context":241},136,{"file":265,"line":270,"context":241},143,{"file":265,"line":272,"context":241},148,{"file":265,"line":274,"context":241},149,{"file":265,"line":274,"context":241},{"file":265,"line":277,"context":241},150,{"file":265,"line":277,"context":241},{"file":265,"line":280,"context":241},157,{"file":265,"line":282,"context":241},182,{"file":265,"line":284,"context":241},191,[],[],{"summary":288,"deductions":289},"The \"buddypress-xprofile-image-field\" plugin v3.1.0 exhibits a mixed security posture. On the positive side, the static analysis reveals no identified dangerous functions, all SQL queries utilize prepared statements, and there are no external HTTP requests or bundled libraries that could pose a risk. The absence of identified taint flows, particularly critical or high severity ones, is also a strong indicator of secure code practices in certain areas.  However, the plugin's attack surface is surprisingly small, with zero AJAX handlers, REST API routes, shortcodes, or cron events. While this might suggest limited functionality, it also means any potential vulnerabilities would be harder to discover through typical web application attack vectors.\n\nThe most significant concern stems from the vulnerability history. The plugin has a documented critical vulnerability in its past, specifically a 'Path Traversal' issue. While this specific critical vulnerability is currently marked as patched, the presence of a critical flaw in the past, especially one related to path manipulation, warrants caution. Furthermore, the static analysis highlights a significant weakness: 100% of output escaping is missing. This means that all 26 identified output points are potentially vulnerable to cross-site scripting (XSS) attacks if user-supplied data is not properly sanitized before being displayed.\n\nIn conclusion, while the plugin demonstrates good practices in database interaction and avoids external dependencies, the complete lack of output escaping is a critical oversight that exposes users to XSS vulnerabilities. The past critical vulnerability, even though patched, also serves as a reminder of potential security weaknesses that could resurface or be introduced in future updates. The low attack surface makes manual code review or deeper static analysis even more important for a comprehensive security assessment.",[290,293],{"reason":291,"points":292},"100% of output unescaped",15,{"reason":294,"points":295},"Past critical vulnerability (Path Traversal)",18,"2026-03-16T20:06:52.516Z",{"wat":298,"direct":309},{"assetPaths":299,"generatorPatterns":303,"scriptPaths":304,"versionParams":305},[300,301,302],"\u002Fwp-content\u002Fplugins\u002Fbuddypress-xprofile-image-field\u002Fcss\u002Fbp-xp-img-fld.css","\u002Fwp-content\u002Fplugins\u002Fbuddypress-xprofile-image-field\u002Fjs\u002Fversion_compare.js","\u002Fwp-content\u002Fplugins\u002Fbuddypress-xprofile-image-field\u002Fjs\u002Fbp-xp-img-fld.js",[],[301,302],[306,307,308],"buddypress-xprofile-image-field\u002Fcss\u002Fbp-xp-img-fld.css?ver=","buddypress-xprofile-image-field\u002Fjs\u002Fversion_compare.js?ver=","buddypress-xprofile-image-field\u002Fjs\u002Fbp-xp-img-fld.js?ver=",{"cssClasses":310,"htmlComments":311,"htmlAttributes":312,"restEndpoints":313,"jsGlobals":314,"shortcodeOutput":316},[],[],[],[],[315],"bpxpL10n",[]]