The Friends plugin turns your WordPress into a self-hosted social reader. Follow people via RSS and ActivityPub (Mastodon and other Fediverse platforms) and read their posts through one of several built-in themes — Mastodon-style, Google Reader-style, or the default view — with dark mode support.
Combine this plugin with the ActivityPub plugin to participate in the Fediverse from your own site. Use the Enable Mastodon Apps plugin to use mobile and desktop Mastodon apps with your WordPress.
The plugin is designed to be extensible: other plugins can add parsers for new feed sources, new themes, and new functionality like saving posts to a collection or sending them to an eReader.
You can…
– Choose from multiple themes: Mastodon-style, Google Reader-style, and a block theme with dark mode.
– Organize your subscriptions into folders.
– Have multiple feeds per person (blog, social media, etc.).
– Categorize incoming content with Post Formats and view all posts of a certain format across your feeds.
– Define rules to filter incoming content.
– Get full-post email notifications from your favorite blogs.
– Save posts to a collection for later reference (via the Post Collection plugin).
– Send posts to your eReader (via the Send to E-Reader plugin).
– Subscribe to any site with one click using the Friends browser extension (also available for Firefox).
Philosophy
The Friends Plugin was built to make use of what WordPress provides:
- You use the WordPress infrastructure (Gutenberg or Classic Editor, what you prefer) to create your posts.
- Followed people are stored as taxonomy terms, their posts are cached as a custom post type — delete the term to unfollow.
- No extra tables: The Friends plugin just uses a post type, options, and some taxonomies to store its data. When you delete the plugin, your WordPress will be as slim as before.
The logo was created by Ramon Dodd, @ramonopoly. Thank you!
Documentation for the plugin can be found on the GitHub project Wiki.
Development of this plugin is done on GitHub. Pull requests welcome. Please see issues reported there before going to the plugin forum.
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 7.5 HIGH | — | ||
The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit. | |||