WP-Safety

BuddyPress Avatar Bubble Security & Risk Analysis

wordpress.org/plugins/cd-bp-avatar-bubble

After moving your mouse pointer on user/group avatar (or clicking) you will see a bubble with the defined by admin information about it.

30 active installs v2.7.1 PHP + WP + Updated Nov 10, 2016
ajaxbuddypressgroupsmembersprofile
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BuddyPress Avatar Bubble Safe to Use in 2026?

Generally Safe

Score 85/100

BuddyPress Avatar Bubble has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The plugin "cd-bp-avatar-bubble" v2.7.1 presents a significant security risk primarily due to its unprotected AJAX handlers. While the plugin demonstrates good practices in SQL query handling and has no recorded vulnerability history, the presence of two AJAX entry points without any authentication or capability checks is a major concern. This creates a substantial attack surface that attackers can leverage to trigger unintended actions within WordPress. The taint analysis showing flows with unsanitized paths, even without critical or high severity, suggests potential for manipulation if these paths are not properly secured by the application logic. The low percentage of properly escaped output further exacerbates this risk, as it can lead to cross-site scripting (XSS) vulnerabilities. In conclusion, despite a clean vulnerability history and secure SQL practices, the lack of authorization on key entry points and potential output escaping issues create a precarious security posture.

Key Concerns

  • AJAX handlers without auth checks
  • Flows with unsanitized paths
  • Low percentage of properly escaped output
  • Missing nonce checks on AJAX
  • Missing capability checks on AJAX
Vulnerabilities
None known

BuddyPress Avatar Bubble Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

BuddyPress Avatar Bubble Release Timeline

v2.7.1Current
v2.7
v2.6.1
v2.5.1
v2.5
v2.4
v2.3.1
v2.3
v2.2
v2.1.1
v2.1
v2.0.1
v2.0
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2
v1.1.1
v1.1
Code Analysis
Analyzed Apr 16, 2026

BuddyPress Avatar Bubble Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
14
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared3 total queries

Output Escaping

7% escaped15 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
on_show_page (cd-ab-admin.php:94)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

BuddyPress Avatar Bubble Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_cd_ab_the_avatardatacd-avatar-bubble.php:198
noprivwp_ajax_cd_ab_the_avatardatacd-avatar-bubble.php:199
WordPress Hooks 9
filterscreen_layout_columnscd-ab-admin.php:11
actionnetwork_admin_menucd-ab-admin.php:14
actionadmin_menucd-ab-admin.php:16
actionwp_print_scriptscd-ab-cssjs.php:29
actionwp_headcd-ab-cssjs.php:45
actionwp_print_stylescd-ab-cssjs.php:92
actionplugins_loadedcd-avatar-bubble.php:52
filterbp_core_fetch_avatarcd-avatar-bubble.php:86
filterbp_get_activity_actioncd-avatar-bubble.php:113
Maintenance & Trust

BuddyPress Avatar Bubble Maintenance & Trust

Maintenance Signals

WordPress version tested
Last updatedNov 10, 2016
PHP min version
Downloads39K

Community Trust

Rating80/100
Number of ratings12
Active installs30
Alternatives

BuddyPress Avatar Bubble Alternatives

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

youzify

C
52

The best BuddyPress plugin for building online communities, user profile, social networks, and membership sites on WordPress with tons of features.

6K 1 unpatched
Wbcom Designs – Shortcodes & Elementor Widgets For BuddyPress

Wbcom Designs – Shortcodes & Elementor Widgets For BuddyPress

shortcodes-for-buddypress

A
100

This plugin generates shortcodes for Listing Activity Streams, Members, and Groups on any website post or page.

700 No CVEs
Eonet Live Notifications

Eonet Live Notifications

eonet-live-notifications

A
85

Enables live notifications for all your users to get better interactions within your BuddyPress site.

400 No CVEs
Advanced XProfile Fields for BuddyPress

Advanced XProfile Fields for BuddyPress

advanced-xprofile-fields-for-buddypress

A
85

Enhance your BuddyPress profile fields with Advanced XProfile Fields for BuddyPress. Manage fields labels, validation and show fields in admin.

100 No CVEs
BuddyPress Group Chatroom

BuddyPress Group Chatroom

bp-group-chatroom

A
85

This plugin provides neat chatrooms into BuddyPress groups. Each Group admin can enable a group Chat room, available for all group members to view and …

100 No CVEs
Developer Profile

BuddyPress Avatar Bubble Developer Profile

Slava Abakumov

10 plugins · 3K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
104 days
View full developer profile
Detection Fingerprints

How We Detect BuddyPress Avatar Bubble

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cd-bp-avatar-bubble/assets/css/cd-bp-avatar-bubble.css/wp-content/plugins/cd-bp-avatar-bubble/assets/js/cd-bp-avatar-bubble.js
Script Paths
/wp-content/plugins/cd-bp-avatar-bubble/assets/js/cd-bp-avatar-bubble.js
Version Parameters
cd-bp-avatar-bubble/assets/css/cd-bp-avatar-bubble.css?ver=cd-bp-avatar-bubble/assets/js/cd-bp-avatar-bubble.js?ver=

HTML / DOM Fingerprints

CSS Classes
popupLinecd-bp-avatar-bubble-wrapper
Data Attributes
rel="user_"rel="group_"
JS Globals
cd_ab_vars
REST Endpoints
/wp-json/cd-bp-avatar-bubble/v1/settings
FAQ

Frequently Asked Questions about BuddyPress Avatar Bubble