WP Symposium Plugin: History and Security Record

WP Symposium was a social networking plugin for WordPress, first released in 2010. It let site owners add forums, activity walls, member profiles, private messaging, and photo galleries to a WordPress site, positioning itself as an alternative to BuddyPress. Development stopped around 2015 and the plugin was removed from the WordPress.org directory. It has not been maintained since.

This domain, wpsymposium.com, was the plugin's original home. Today it publishes WordPress theme, plugin, and hosting reviews. This page preserves the plugin's release and security history for the many vulnerability databases and legacy installations that still reference it.

Security record

WP Symposium has documented, unpatched-by-abandonment security vulnerabilities. The most serious, CVE-2014-10021, is an unrestricted file upload in UploadHandler.php affecting versions up to and including 14.11. It allows an unauthenticated attacker to upload and execute arbitrary PHP, taking over the site. It was fixed in version 14.12, was actively exploited in the wild, and public exploit code exists. An earlier arbitrary file upload flaw affected versions before 11.12.24.

If a site still runs WP Symposium

  • Uninstall the plugin. It is abandoned and will not receive security fixes.
  • Inspect wp-content/plugins/wp-symposium/server/php/ and upload directories for injected PHP files before assuming the site is clean.
  • For the social features it provided, see our guide to BuddyPress alternatives or the BuddyPress vs bbPress comparison.

Release history referenced by security databases

Old release announcement URLs on this domain (such as the v14.11 release notes from November 2014 and the v11.12.08 notes from December 2011) now redirect here. Those releases correspond to the vulnerable versions documented above.