1. In about 2 minutes of manual searching I found a persistent xss in the last (updated) version of Oxwall and probably they are more out there. Please just use an updated xss evasion cheatsheet (html5sec.org) or at least RSnake's XSS Cheatsheet from ha.ckers.org and sanitize the active content. I bet many of the webmasters that uses oxwall platform allow members to modify their own profile. Right now anyone can inject javascript in their profiles without any problems. So guys, if you are using oxwall uncheck the box from "Allow users to customize this page" (yoursite.com/admin/user-profile), or you can become the victim of an xss attack. You can say that i'm a douche but I am not telling you exactly where the xss is located because this coding mistake is impardonable when it's about the security of the users. You can find it by yourself in few minutes using the hints I gave it to you. It is basic html with basic javascript.
2. The seo part sucks big time. You can make thousands of plugins for seo but the code itself is not seo friendly. 40% of the page is not the generated content itself. When search engine bots crawls the site the first things found are the css and full javascript code. That content is actually considered junk by search engine spiders and the bots starts to ignore the rest of the page because they are programmed to read from the top first and most of the time spiders ignore the rest of the page if they detect junk code. Everyone knows that. It's almost impossible to target the first page in google, yahoo or bing in this way. And the biggest problem is that the 40% of junk code is located in the upper side of the page starting from the end of the header. Please consider that i'm using the term "junk code" only from a seo point of view and I'm aware this code is actually running the functions of the website itself.
3. As an admin I can't do changes to users accounts. I can't edit profiles, I can't see the ip address, I can't change the passwords, I can't change their e-mail address, I can't change their pics. So what is the role of the admin if I don't have those basic features on my own website? I mean, those features exists in any cms from at least 10 years and they are "a must" in any social platform. Those features should be created from the beggining of a cms platform. I don't understand the logic of those missing features but please at least take a look at phpbb or vbulletin to see what basic features for management you need to add on oxwall.
4. Moderator features are joke same like the admin features.
5. Too many locations for themes files. If I want to change something I need to browse all the folders and to delete the files in three or four places. Caching is a nightmare too. Dev mode/debug mode visible for all the online users at the same time with the admin. Wtf?
From now this I have to say about my 2 days experience with Oxwall. Am I satisfied by this free product? No I'm not, but I consider that it can be better and I will give this platform a shot. Solve the chaos in the code and implement a real user management and I will pay for this if the freeware version will become obsolete. Untill then I wish to thank you guys for making a free social networking platform and I apologize if I offend you in any way. I know how hard is to develop something from the scratch and sometimes when security issues are present I forget to talk nicely with people.
Greetz from Romania