WP-Safety

WP-Hyves Security & Risk Analysis

wordpress.org/plugins/wp-hyves

Import friends and Post to Hyves: a social networking website.

10 active installs v1.4.0.2 PHP + WP 2.3+ Updated Unknown
contactsfriendshyvesimportsocial
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP-Hyves Safe to Use in 2026?

Generally Safe

Score 100/100

WP-Hyves has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The "wp-hyves" v1.4.0.2 plugin exhibits a concerning security posture, despite having no recorded CVEs. The static analysis reveals significant weaknesses, particularly in output escaping, where 100% of outputs are not properly escaped. This poses a high risk for cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site. Additionally, the presence of dangerous functions like `create_function` and `unserialize` are red flags, as they can lead to remote code execution (RCE) if not handled with extreme care and proper sanitization, which appears to be lacking given the unescaped output. The taint analysis indicates all analyzed flows have unsanitized paths, though thankfully no critical or high severity issues were flagged in this specific analysis. The complete absence of nonce checks and capability checks on entry points, coupled with a lack of documented security practices, further amplifies the risk. While the plugin's lack of external HTTP requests and its use of prepared statements for SQL queries are positive aspects, they do not outweigh the severe risks associated with unescaped output and potentially dangerous function usage.

Key Concerns

  • Unescaped output detected
  • Dangerous functions detected (create_function, unserialize)
  • No nonce checks detected
  • No capability checks detected
  • All taint flows have unsanitized paths
Vulnerabilities
None known

WP-Hyves Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP-Hyves Code Analysis

Dangerous Functions
11
Raw SQL Queries
0
0 prepared
Unescaped Output
154
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
5
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action( 'plugins_loaded', create_function( '', 'global $dlPosts; $dlPosts = new DLPosts();' ) );classes\util\com.daveligthart.php:80
unserializereturn unserialize($_SESSION['requesttoken_'.$oauth_token]);classes\util\GenusApis-PHP5-1.0.0\index.php:106
unserializereturn unserialize($_SESSION['localtoken_'.$local_token]);classes\util\GenusApis-PHP5-1.0.0\index.php:114
unserializereturn unserialize($_SESSION['requesttoken_'.$oauth_token]);classes\util\GenusApis-PHP5-1.0.1\index.php:114
unserializereturn unserialize($_SESSION['localtoken_'.$local_token]);classes\util\GenusApis-PHP5-1.0.1\index.php:122
create_functionadd_action( 'plugins_loaded', create_function( '', 'global $wpHyvesDashWidget; $wpHyvesDashWidget = classes\util\WPHyvesDashboardWidget.php:84
unserializereturn unserialize($_SESSION['requesttoken_'.$oauth_token]);classes\util\WPHyvesUtils.php:20
unserializereturn unserialize($_SESSION['localtoken_'.$local_token]);classes\util\WPHyvesUtils.php:34
unserialize$scraps = unserialize(stripslashes(get_option('wphyves_scraps')));classes\widget\WPHyvesScrapsDashboardWidget.php:57
unserialize$scraps = unserialize(stripslashes(get_option('wphyves_scraps')));classes\widget\WPHyvesScrapsWidget.php:50
create_functionadd_action( 'plugins_loaded', create_function( '', 'global $wpHyvesFriendTipsDashWidget; $wpHyvesTipwp-hyves.php:60

Output Escaping

0% escaped154 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

11 flows11 with unsanitized paths
addpost_metabox (classes\action\WPHyvesAdminAction.php:183)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP-Hyves Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 25
actionadmin_headclasses\action\WPHyvesAdminAction.php:40
actionpublish_postclasses\action\WPHyvesAdminAction.php:41
actionadmin_menuclasses\action\WPHyvesAdminAction.php:42
actioninitclasses\action\WPHyvesAdminAction.php:43
actionadmin_noticesclasses\action\WPHyvesAdminAction.php:47
actionwp_dashboard_setupclasses\util\com.daveligthart.php:21
filterwp_dashboard_widgetsclasses\util\com.daveligthart.php:22
actionplugins_loadedclasses\util\com.daveligthart.php:80
actionwp_dashboard_setupclasses\util\WPHyvesDashboardWidget.php:21
filterwp_dashboard_widgetsclasses\util\WPHyvesDashboardWidget.php:22
actionplugins_loadedclasses\util\WPHyvesDashboardWidget.php:84
actionwp_dashboard_setupclasses\widget\WPHyvesDashboardWidget.php:21
filterwp_dashboard_widgetsclasses\widget\WPHyvesDashboardWidget.php:22
actionwp_dashboard_setupclasses\widget\WPHyvesFriendTipsDashboardWidget.php:21
filterwp_dashboard_widgetsclasses\widget\WPHyvesFriendTipsDashboardWidget.php:22
actionwp_dashboard_setupclasses\widget\WPHyvesFriendWWWsDashboardWidget.php:21
filterwp_dashboard_widgetsclasses\widget\WPHyvesFriendWWWsDashboardWidget.php:22
actionwp_dashboard_setupclasses\widget\WPHyvesProfileDashboardWidget.php:15
filterwp_dashboard_widgetsclasses\widget\WPHyvesProfileDashboardWidget.php:16
actionwp_dashboard_setupclasses\widget\WPHyvesScrapsDashboardWidget.php:15
filterwp_dashboard_widgetsclasses\widget\WPHyvesScrapsDashboardWidget.php:16
actioninitclasses\widget\WPHyvesWidget.php:52
actionwp_dashboard_setupclasses\widget\WPHyvesWWWsDashboardWidget.php:21
filterwp_dashboard_widgetsclasses\widget\WPHyvesWWWsDashboardWidget.php:22
actionplugins_loadedwp-hyves.php:60
Maintenance & Trust

WP-Hyves Maintenance & Trust

Maintenance Signals

WordPress version tested3.0.5
Last updatedUnknown
PHP min version
Downloads5K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

WP-Hyves Alternatives

Friends

Friends

friends

A
96

Follow others via RSS and ActivityPub and read their posts on your own WordPress.

1K 3 CVEs
BuddyPress Extended Friendship Request

BuddyPress Extended Friendship Request

buddypress-extended-friendship-request

A
100

BuddyPress Extended Friendship Request plugin allows users to send a personalized message with the friendship requests.

300 1 CVE
Youtube Thumbnail as Featured Image

Youtube Thumbnail as Featured Image

youtube-thumbnail-to-featured-image

A
85

Use a YouTube Thumbnail as a Featured Image for a WordPress Post. You only have to set a YouTue Video URL and the plugin does the rest.

100 No CVEs
Keyring Social Importers

Keyring Social Importers

keyring-social-importers

A
85

Import your posts/images/etc from Twitter, Instagram, Strava, and more, into your WordPress install. Own your content.

80 No CVEs
Mutual Buddies

Mutual Buddies

mutual-buddies

A
85

Mutual buddies displays BuddyPress mutual friends of the logged in user & the user whose profile the user is looking at on the Profile page.

70 No CVEs
Developer Profile

WP-Hyves Developer Profile

Dave Ligthart

4 plugins · 6K total installs

88
trust score
Avg Security Score
91/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP-Hyves

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-hyves/css/admin-header.css/wp-content/plugins/wp-hyves/css/admin-styles.css/wp-content/plugins/wp-hyves/js/admin-header.js/wp-content/plugins/wp-hyves/js/admin-script.js
Script Paths
/wp-content/plugins/wp-hyves/js/admin-header.js/wp-content/plugins/wp-hyves/js/admin-script.js
Version Parameters
wp-hyves/css/admin-header.css?ver=wp-hyves/css/admin-styles.css?ver=wp-hyves/js/admin-header.js?ver=wp-hyves/js/admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-hyveswphyves
JS Globals
wp_hyves
FAQ

Frequently Asked Questions about WP-Hyves