Plugin inspection:

BuddyPress Group Email Subscription

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.


This recommendation applies to version 3.4 of this plugin, but the most recent version is 4.2.2. These findings may no longer be correct.


Unescaped SQL. Seems that instead of using nonce values to prevent fraudulent form submissions they are using md5(group id + user id + “unsubscribe”). Puts variables into create_function(), though it does not seem vulnerable.

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe generation of PHP code
  • Unsafe request processing

Read more about our failure criteria.