WP-Safety

Lava Bp Post Security & Risk Analysis

wordpress.org/plugins/lava-bp-post

Lava Bp Post Provides front-end form for buddypress. It's also possible to add on pages by a form shortcode.

200 active installs v1.0.10 PHP + WP 3.2+ Updated Apr 19, 2022
buddypressbuddypress-blog-formbuddypress-frontend-formfront-end-formsocial-articles
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Lava Bp Post Safe to Use in 2026?

Generally Safe

Score 85/100

Lava Bp Post has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The "lava-bp-post" plugin v1.0.10 exhibits a concerning security posture primarily due to its unprotected AJAX endpoints. While the plugin boasts no known CVEs and a clean vulnerability history, the static analysis reveals two AJAX handlers that lack authentication checks. This presents a significant attack vector, as any unauthenticated user could potentially trigger these functions, leading to unintended consequences or exploitation if the functionality is sensitive.

The code analysis further highlights that 100% of SQL queries are not using prepared statements, which is a critical security flaw that can lead to SQL injection vulnerabilities. Although no taint analysis showed critical or high severity issues, the unsanitized paths in the taint flows, coupled with raw SQL queries, indicate a high risk of potential data compromise. The limited output escaping also raises concerns about Cross-Site Scripting (XSS) vulnerabilities.

While the absence of known vulnerabilities is a positive indicator, it should not be solely relied upon. The static analysis reveals significant weaknesses that, if exploited, could lead to the discovery of new vulnerabilities. The plugin has a small attack surface, but the lack of security checks on these entry points is a major concern. Overall, the plugin requires immediate attention to address the unprotected AJAX handlers, SQL injection risks, and insufficient output escaping to mitigate potential security threats.

Key Concerns

  • Unprotected AJAX handlers
  • SQL queries without prepared statements
  • Low percentage of properly escaped output
  • Taint flows with unsanitized paths
Vulnerabilities
None known

Lava Bp Post Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Lava Bp Post Release Timeline

v1.0.10Current
v1.0.9.1
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.0
Code Analysis
Analyzed Mar 16, 2026

Lava Bp Post Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
66
39 escaped
Nonce Checks
3
Capability Checks
4
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

37% escaped105 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
deactive_licensekey (includes\class-addons.php:146)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Lava Bp Post Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_lava_bpp_listingincludes\functions-ajaxListings.php:2
noprivwp_ajax_lava_bpp_listingincludes\functions-ajaxListings.php:3
WordPress Hooks 32
actionlava_bp_post_admin_addons_afterincludes\class-addons.php:30
filtertransient_update_pluginsincludes\class-addons.php:41
filtersite_transient_update_pluginsincludes\class-addons.php:42
actionupgrader_process_completeincludes\class-addons.php:46
actionadmin_initincludes\class-admin.php:33
actionadmin_menuincludes\class-admin.php:34
actionadmin_footerincludes\class-admin.php:35
actionsave_postincludes\class-admin.php:36
actionadd_meta_boxesincludes\class-admin.php:37
actionadmin_enqueue_scriptsincludes\class-admin.php:46
actionplugins_loadedincludes\class-core.php:30
actioninitincludes\class-core.php:32
actionwp_enqueue_scriptsincludes\class-core.php:34
filterthe_contentincludes\class-core.php:35
filterlava_get_selbox_child_term_listsincludes\class-core.php:39
actionbp_setup_navincludes\class-core.php:42
actionwp_enqueue_scriptsincludes\class-core.php:215
filterthe_contentincludes\class-core.php:231
actionbp_template_contentincludes\class-core.php:427
actionwp_enqueue_scriptsincludes\class-enqueues.php:16
actionwp_enqueue_scriptsincludes\class-enqueues.php:17
actionadmin_enqueue_scriptsincludes\class-enqueues.php:18
actionadmin_enqueue_scriptsincludes\class-enqueues.php:19
actioninitincludes\class-shortcodes.php:18
actionwp_footerincludes\class-shortcodes.php:64
actionwp_footerincludes\class-shortcodes.php:114
actionwp_footerincludes\class-shortcodes.php:172
actionwp_headincludes\class-submit.php:24
actioninitincludes\class-submit.php:25
actioninitincludes\class-template.php:30
actionpre_get_postsincludes\class-template.php:76
actioninitlava-bp-post.php:94
Maintenance & Trust

Lava Bp Post Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedApr 19, 2022
PHP min version
Downloads23K

Community Trust

Rating60/100
Number of ratings2
Active installs200
Alternatives

Lava Bp Post Alternatives

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

A
88

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs
rtMedia for WordPress, BuddyPress and bbPress

rtMedia for WordPress, BuddyPress and bbPress

buddypress-media

B
75

Add albums, photo, audio/video upload, privacy, sharing, front-end uploads & more. All this works on mobile/tablets devices.

8K 14 CVEs
BuddyPress Docs

BuddyPress Docs

buddypress-docs

A
97

Adds collaborative Docs to BuddyPress.

7K 3 CVEs
WPML Multilingual for BuddyPress and BuddyBoss

WPML Multilingual for BuddyPress and BuddyBoss

buddypress-multilingual

A
100

WPML Multilingual for BuddyPress and BuddyBoss allows BuddyPress and BuddyBoss sites to run fully multilingual using the WPML plugin.

7K No CVEs
BP Classic

BP Classic

bp-classic

A
92

BP Classic, a BuddyPress (12.0.0 & up) backwards compatibility add-on

6K No CVEs
Developer Profile

Lava Bp Post Developer Profile

lavacode

2 plugins · 240 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Lava Bp Post

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/lava-bp-post/assets/js/admin-addons.js/wp-content/plugins/lava-bp-post/assets/css/admin.css/wp-content/plugins/lava-bp-post/assets/js/admin.js/wp-content/plugins/lava-bp-post/assets/js/admin-form-validation.js/wp-content/plugins/lava-bp-post/assets/js/lava-bp-post-public.js
Script Paths
/wp-content/plugins/lava-bp-post/assets/js/admin-addons.js/wp-content/plugins/lava-bp-post/assets/js/admin.js/wp-content/plugins/lava-bp-post/assets/js/admin-form-validation.js/wp-content/plugins/lava-bp-post/assets/js/lava-bp-post-public.js
Version Parameters
lava-bp-post/assets/js/admin-addons.js?ver=lava-bp-post/assets/css/admin.css?ver=lava-bp-post/assets/js/admin.js?ver=lava-bp-post/assets/js/admin-form-validation.js?ver=lava-bp-post/assets/js/lava-bp-post-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
lava-manager-addons-wraplava-addon-update-checkaddons-wraplava-manager-addons-wraplava-manager-post-formlava-submit-post-wraplava-post-submit-formlava-submit-post-fields
HTML Comments
<!-- /.lava-manager-addons-wrap --><!-- /.lava-manager-post-form --><!-- /.lava-submit-post-wrap -->
Data Attributes
data-posttypedata-lava-fields-validation
JS Globals
lavaAddonsVariablelava_dir_admin_paramlava_bpp_funclava_bp_post_admin
Shortcode Output
<div id="lava-bp-post-submit-form"<div id="lava-bp-post-display-posts"
FAQ

Frequently Asked Questions about Lava Bp Post