WP-Safety

GamiPress – Button Security & Risk Analysis

wordpress.org/plugins/gamipress-button

Add activity events based on button clicks generated by [gamipress_button]

1K active installs v1.0.9 PHP + WP 4.4+ Updated Dec 1, 2025
buttonclickgamificationgamifygamipress
99
A · Safe
CVEs total2
Unpatched0
Last CVEMar 19, 2024
Plugin page Download
Safety Verdict

Is GamiPress – Button Safe to Use in 2026?

Generally Safe

Score 99/100

GamiPress – Button has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Mar 19, 2024Updated 5mo ago
Risk Assessment

The gamipress-button v1.0.9 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in handling SQL queries, exclusively using prepared statements, and avoids file operations and external HTTP requests. It also includes a nonce check, which is a critical security control. However, several areas raise concerns. The lack of capability checks on AJAX handlers means that any authenticated user, regardless of their role or permissions, could potentially trigger these actions, increasing the attack surface. While taint analysis showed no critical or high severity flows, the 77% output escaping rate indicates a potential for Cross-Site Scripting (XSS) vulnerabilities, especially with 39 total outputs. The plugin's history of two medium severity CVEs, both related to XSS, further amplifies this concern, suggesting a recurring weakness that needs addressing. The recent nature of the last vulnerability also highlights the ongoing need for vigilant patching.

Key Concerns

  • No capability checks on AJAX handlers
  • 77% output escaping rate (potential XSS)
  • Two medium severity CVEs, recent
Vulnerabilities
2 published

GamiPress – Button Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-2460medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GamiPress – Button <= 1.0.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 19, 2024 Patched in 1.0.8 (1d)
WF-eedced7b-bda4-4292-8e87-fc3e37e4868b-gamipress-buttonmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GamiPress – Button <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 12, 2023 Patched in 1.0.5 (376d)
Version History

GamiPress – Button Release Timeline

v1.0.9Current
v1.0.8
v1.0.71 CVE
CVE-2024-2460
v1.0.61 CVE
CVE-2024-2460
v1.0.51 CVE
CVE-2024-2460
v1.0.42 CVEs
CVE-2024-2460 WF-eedced7b-bda4-4292-8e87-fc3e37e4868b-gamipress-button
v1.0.32 CVEs
CVE-2024-2460 WF-eedced7b-bda4-4292-8e87-fc3e37e4868b-gamipress-button
v1.0.22 CVEs
CVE-2024-2460 WF-eedced7b-bda4-4292-8e87-fc3e37e4868b-gamipress-button
v1.0.12 CVEs
CVE-2024-2460 WF-eedced7b-bda4-4292-8e87-fc3e37e4868b-gamipress-button
v1.0.02 CVEs
CVE-2024-2460 WF-eedced7b-bda4-4292-8e87-fc3e37e4868b-gamipress-button
Code Analysis
Analyzed Mar 16, 2026

GamiPress – Button Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
9
30 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

77% escaped39 total outputs
Attack Surface

GamiPress – Button Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_gamipress_button_clickincludes\ajax-functions.php:86
noprivwp_ajax_gamipress_button_clickincludes\ajax-functions.php:87
WordPress Hooks 20
actionadmin_noticesgamipress-button.php:100
actionplugins_loadedgamipress-button.php:205
filtergamipress_automatic_updates_pluginsincludes\admin.php:26
filtergamipress_log_event_trigger_meta_dataincludes\logs.php:55
filtergamipress_get_user_trigger_count_log_metaincludes\logs.php:116
filtergamipress_log_extra_data_fieldsincludes\logs.php:224
filtergamipress_requirement_objectincludes\requirements.php:38
actiongamipress_requirement_ui_html_after_achievement_postincludes\requirements.php:56
actiongamipress_ajax_update_requirementincludes\requirements.php:81
actiongamipress_requirement_ui_html_after_requirement_titleincludes\requirements.php:104
filtergamipress_get_triggered_requirementsincludes\rules-engine.php:108
filteruser_has_access_to_achievementincludes\rules-engine.php:137
actioninitincludes\scripts.php:26
actionwp_enqueue_scriptsincludes\scripts.php:48
actionadmin_initincludes\scripts.php:64
actionadmin_enqueue_scriptsincludes\scripts.php:84
actioninitincludes\shortcodes\gamipress_button.php:70
filtergamipress_activity_triggersincludes\triggers.php:38
filtergamipress_activity_trigger_labelincludes\triggers.php:76
filtergamipress_trigger_get_user_idincludes\triggers.php:108
Maintenance & Trust

GamiPress – Button Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 1, 2025
PHP min version
Downloads21K

Community Trust

Rating60/100
Number of ratings2
Active installs1K
Alternatives

GamiPress – Button Alternatives

GamiPress – Link

GamiPress – Link

gamipress-link

A
99

Add activity events based on link clicks generated by [gamipress_link]

800 1 CVE
GamiPress – Leaderboards Include/Exclude Users

GamiPress – Leaderboards Include/Exclude Users

gamipress-leaderboards-include-exclude-users

A
100

Include or exclude specific users or roles on any leaderboard.

500 No CVEs
GamiPress – Block Users

GamiPress – Block Users

gamipress-block-users

A
100

Block users and roles from getting awarded through the GamiPress awards engine

400 No CVEs
GamiPress – BuddyPress Group Leaderboard

GamiPress – BuddyPress Group Leaderboard

gamipress-buddypress-group-leaderboard

A
100

Add a completely configurable tab on BuddyPress groups with a GamiPress leaderboard of group members

300 No CVEs
GamiPress – Emails By Type

GamiPress – Emails By Type

gamipress-emails-by-type

A
100

Set different emails settings by type

200 No CVEs
Developer Profile

GamiPress – Button Developer Profile

Ruben Garcia

32 plugins · 25K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
128 days
View full developer profile
Detection Fingerprints

How We Detect GamiPress – Button

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gamipress-button/assets/js/gamipress-button.js/wp-content/plugins/gamipress-button/assets/js/gamipress-button.min.js
Script Paths
/wp-content/plugins/gamipress-button/assets/js/gamipress-button.js/wp-content/plugins/gamipress-button/assets/js/gamipress-button.min.js
Version Parameters
gamipress-button/assets/js/gamipress-button.js?ver=gamipress-button/assets/js/gamipress-button.min.js?ver=

HTML / DOM Fingerprints

JS Globals
gamipress_button
Shortcode Output
[gamipress_button]
FAQ

Frequently Asked Questions about GamiPress – Button