WP-Safety

Invite Anyone Security & Risk Analysis

wordpress.org/plugins/invite-anyone

Makes BuddyPress's invitation features more powerful.

1K active installs v1.4.10 PHP + WP 3.2+ Updated Aug 19, 2024
buddypressfriendsgroupinvitationsinvite
83
B · Generally Safe
CVEs total6
Unpatched0
Last CVEAug 16, 2024
Plugin page Download
Safety Verdict

Is Invite Anyone Safe to Use in 2026?

Mostly Safe

Score 83/100

Invite Anyone is generally safe to use though it hasn't been updated recently. 6 past CVEs were resolved. Keep it updated.

6 known CVEsLast CVE: Aug 16, 2024Updated 1yr ago
Risk Assessment

The "invite-anyone" plugin v1.4.10 presents a mixed security posture. On the positive side, the static analysis shows a high percentage of properly escaped outputs (95%), a good usage of prepared statements for SQL queries (57%), and a significant number of nonce and capability checks (10 each). The taint analysis also reported no critical or high severity issues with unsanitized paths, which is encouraging. However, the presence of one AJAX handler without authentication checks represents a significant attack vector that could be exploited by unauthenticated users. The plugin also bundles a very outdated version of jQuery (v1.3.2), which is a known risk for potential vulnerabilities. The vulnerability history is a major concern, with a total of 6 known CVEs, including 1 critical and 3 high severity issues. While currently unpatched, this history indicates a pattern of recurring security weaknesses, including cross-site scripting, deserialization vulnerabilities, CSRF, improper input validation, and access control flaws. This suggests that even with some good security practices in place, there are fundamental issues in the plugin's development that have led to persistent vulnerabilities.

Key Concerns

  • Unprotected AJAX handler
  • Bundled outdated jQuery library
  • 1 critical CVE history
  • 3 high CVE history
  • 2 medium CVE history
  • SQL queries partially not prepared
Vulnerabilities
6

Invite Anyone Security Vulnerabilities

CVEs by Year

5 CVEs in 2017
2017
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
High
3
Medium
2

6 total CVEs

CVE-2024-43327medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Invite Anyone <= 1.4.7 - Reflected Cross-Site Scripting

Aug 16, 2024 Patched in 1.4.8 (7d)
WF-b77c3d65-23c0-4bda-afea-9cad00fc04d6-invite-anyonecritical · 9.8Deserialization of Untrusted Data

Invite Anyone <= 1.3.18 - PHP Object Injection

Oct 12, 2017 Patched in 1.3.19 (2294d)
CVE-2017-18544high · 8.8Cross-Site Request Forgery (CSRF)

Invite Anyone < 1.3.16 - Cross-Site Request Forgery

Mar 22, 2017 Patched in 1.3.16 (2498d)
CVE-2017-18545high · 7.5Improper Input Validation

Invite Anyone <= 1.3.15 - Improper Input Validation

Mar 22, 2017 Patched in 1.3.16 (2498d)
CVE-2017-18543high · 7.5Improper Access Control

Invite Anyone < 1.3.16 - Email Injection

Mar 22, 2017 Patched in 1.3.16 (2498d)
CVE-2017-6955medium · 5.3Improper Input Validation

Invite Anyone <= 1.3.14 - Change of Email Invitation Content

Mar 17, 2017 Patched in 1.3.15 (2503d)
Code Analysis
Analyzed Mar 16, 2026

Invite Anyone Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
4 prepared
Unescaped Output
14
255 escaped
Nonce Checks
10
Capability Checks
10
File Operations
1
External Requests
0
Bundled Libraries
1

Bundled Libraries

jQuery1.3.2

SQL Query Safety

57% prepared7 total queries

Output Escaping

95% escaped269 total outputs
Data Flows
All sanitized

Data Flow Analysis

6 flows
invite_anyone_admin_panel (admin\admin-panel.php:148)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Invite Anyone Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 2

authwp_ajax_invite_anyone_groups_invite_usergroup-invites\group-invites.php:505
authwp_ajax_invite_anyone_autocomplete_ajax_handlergroup-invites\group-invites.php:534
WordPress Hooks 45
actionadmin_initadmin\admin-panel.php:39
actionadmin_menuadmin\admin-panel.php:112
filterplugin_action_linksadmin\admin-panel.php:127
actionadmin_initadmin\admin-panel.php:316
filterposts_where_pagedadmin\admin-stats.php:107
actioninitby-email\by-email-db.php:51
actionadmin_initby-email\by-email-db.php:216
actionwp_loadedby-email\by-email-db.php:220
filterposts_fieldsby-email\by-email-db.php:499
filterposts_join_pagedby-email\by-email-db.php:500
filterposts_orderbyby-email\by-email-db.php:501
actionwp_print_stylesby-email\by-email.php:40
actionwp_print_scriptsby-email\by-email.php:61
actionbp_setup_globalsby-email\by-email.php:78
actionwpby-email\by-email.php:177
actionbp_before_register_pageby-email\by-email.php:252
actionbp_core_activated_userby-email\by-email.php:331
actionbp_setup_navby-email\by-email.php:382
actionwp_headby-email\by-email.php:469
actionbp_actionsby-email\by-email.php:510
actionbp_template_redirectby-email\by-email.php:573
actionbp_template_contentby-email\by-email.php:583
actionbp_template_contentby-email\by-email.php:860
filterbp_email_get_salutationby-email\by-email.php:1614
actionbp_actionsby-email\by-email.php:1718
filterbp_get_signup_allowedby-email\by-email.php:1776
filteroption_users_can_registerby-email\by-email.php:1778
actionwpby-email\by-email.php:1781
filterbp_core_validate_user_signupby-email\by-email.php:1807
filterbp_loggedin_register_page_redirect_toby-email\by-email.php:1891
actionbp_core_install_emailsby-email\by-email.php:1954
actioninvite_anyone_after_addressesby-email\cloudsponge-integration.php:66
actionwp_enqueue_scriptsby-email\cloudsponge-integration.php:67
actionwp_headgroup-invites\group-invites.php:49
actionwp_print_stylesgroup-invites\group-invites.php:68
actionwpgroup-invites\group-invites.php:254
actionpre_user_querygroup-invites\group-invites.php:369
filtergroups_create_group_stepsgroup-invites\group-invites.php:562
actionbp_setup_navgroup-invites\group-invites.php:563
actiongroups_notification_group_invites_messagegroup-invites\group-invites.php:679
filtergroups_notification_group_invites_togroup-invites\group-invites.php:684
actionwp_footergroup-invites\templates\invite-anyone.php:14
actionbp_includeinvite-anyone.php:50
actionplugins_loadedinvite-anyone.php:58
actionwidgets_initwidgets\widgets.php:161
Maintenance & Trust

Invite Anyone Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedAug 19, 2024
PHP min version
Downloads262K

Community Trust

Rating86/100
Number of ratings26
Active installs1K
Alternatives

Invite Anyone Alternatives

BP Post Status

BP Post Status

bp-post-status

A
100

Adds BuddyPress status options for posts - Group posts (public, site members only and group only, Members Only, Followers, Following and Friends only &hellip;

10 No CVEs
Registration Options for BuddyPress

Registration Options for BuddyPress

bp-registration-options

A
85

Moderate new BuddyPress members and fight BuddyPress spam.

1K No CVEs
BuddyPress Group Email Subscription

BuddyPress Group Email Subscription

buddypress-group-email-subscription

A
92

This powerful plugin allows users to receive email notifications of group activity. Weekly or daily digests are available.

1K No CVEs
RumbleTalk Live Group Chat – HTML5

RumbleTalk Live Group Chat – HTML5

rumbletalk-chat-a-chat-with-themes

A
96

Live group chat plugin for WordPress. Integrate it into your website in minutes. Create one or multiple rooms effortlessly.

800 3 CVEs
BP Group Documents

BP Group Documents

bp-group-documents

A
98

BP Group Documents creates a page within each BuddyPress group to upload and any type of file or document.

700 4 CVEs
Developer Profile

Invite Anyone Developer Profile

Boone Gorges

27 plugins · 12K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
1864 days
View full developer profile
Detection Fingerprints

How We Detect Invite Anyone

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/invite-anyone/admin/admin-css.css/wp-content/plugins/invite-anyone/admin/admin-js.js
Script Paths
/wp-content/plugins/invite-anyone/vendor/harding-group/buddypress-120-url-polyfills/js/bp-120-url-polyfills.js
Version Parameters
invite-anyone/admin/admin-js.js?ver=invite-anyone/admin/admin-css.css?ver=

HTML / DOM Fingerprints

CSS Classes
bp-invite-anyone
Data Attributes
data-invite-anyone-formdata-invite-anyone-id
JS Globals
invite_anyone_admin_params
REST Endpoints
/wp-json/invite-anyone/v1/invite
Shortcode Output
[invite_form][invite_friends][invite_anyone]
FAQ

Frequently Asked Questions about Invite Anyone