BuddyBoss Revealing Users Email Addresses

  • Author
      • February 13, 2023 at 2:26 am #3539167

        I think I’ve stumbled on a bit of a privacy/security flaw in BuddyBoss. Or at least a limitation when using FluentCRM to automate the BuddyBoss/WordPress signup process.

        I use the basic workflow of an Elementor form hooked into the FluentCRM email field and a tag. Then, a FluentCRM automation creates a new WordPress user if they have the tag and have double opted in.

        It works slick….however,

        I noticed all users’ email addresses are available in each members profile URL on my site in BuddyBoss.

        So, any user can type in: “http://mysite.com/members/”, and on each member’s profile page, you see the following URL:


        I did some testing and have an idea what’s happening.

        So when you only ask for an email address for signup, WordPress takes the email address and puts it in the [nickname] field. Then, the nickname gets hard coded into the member’s profile URL in BuddyBoss. Even if you change the nickname in your BuddyBoss profile, the URL remains unchanged.

        The only way I’ve found to stop this is to ask for a nickname at time of sign up in my Elementor form hooked into FluentCRM fields. Then the nickname they enter goes in the profile URL in BuddyBoss.

        However, if they choose the same nickname as someone else, FluentCRM nor Elementor has no way of checking for existing users with that nickname. But, if you use the BuddyBoss registration form, it does tell the user the name is already taken, which is good.

        I really don’t want my user’s email addresses scraped. The addresses really are all there ripe for the picking.

        Is there a way to change the BuddyBoss URL?



        • February 13, 2023 at 2:26 am #3539200

          Well, I think I’ve found a solution…

          FluentForms and UncannyAutomator.

          FluentForms does way more than I imagined. It hooks in nicely with the WordPress registation system.

          My process now goes like this:

          1. A fluentForm on a WordPressPage (styled with Elementor), asking lead for email, and to pick a username, nothing else. The password is set to autogenerate in the backend. So when they choose a username, THAT is what appears in the BuddyBoss member profile URL…NOT thier email address. It also becomes the BuddyBoss ‘Nickname’ and ‘FirstName’.

          I felt a username is less of a barrier than a first name…they can add their first name to BuddyBoss later when they are ready.

          2. FluentForms sends a double optin email. (required before a WordPress user is actually created)

          3. Lead clicks double optin button, and taken straight to the member’s area…auto logged in. How convenient. All done by fluentForms.

          4. The fluentForm/FluentCRM integration adds a tags to the lead, triggering an Uncanny Automator recipe to send a customized password reset email (much nicer than the default wordpress one). So, they autologin the first visit, and now are less annoyed to create a password for subsequent visits.

          FluentForms also adds tags used for membership access by WPFusion.

          I could use Uncanny Automator instead of WPFusion to grant/remove access based on tags as an option.

          I’m really digging FluentForms and Uncanny Automator together. It provides a lot of flexibility in the signup process, without any coding whatsoever.

      • You must be logged in to reply to this topic.