Does AP Gravatars have any unpatched vulnerabilities?

No. All known vulnerabilities in AP Gravatars have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is AP Gravatars compatible with WordPress 3.3.2?

According to WordPress.org data, AP Gravatars 1.0 has been tested up to WordPress 3.3.2. Check the plugin's changelog for the latest compatibility information.

How often is AP Gravatars updated?

AP Gravatars was last updated on Apr 25, 2012. Frequent updates are generally a positive security signal.

What is AP Gravatars's security score?

AP Gravatars has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

AP Gravatars Security & Risk Analysis

wordpress.org/plugins/ap-gravatars

A simple plugin that adds the gravatar photo associated with the user's email to their profile page... MultiSite compatable!

200 active installs v1.0 PHP + WP 2.0+ Updated Apr 25, 2012

avatargravatarprofileprofile-picturewpms

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is AP Gravatars Safe to Use in 2026?

Generally Safe

Score 85/100

AP Gravatars has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago

Risk Assessment

The "ap-gravatars" v1.0 plugin exhibits a generally strong security posture based on the provided static analysis. There are no identified AJAX handlers, REST API routes, shortcodes, or cron events, resulting in a zero-total attack surface. This significantly reduces the potential entry points for malicious actors. Furthermore, the code signals indicate no dangerous functions, no direct SQL queries (all use prepared statements), no file operations, and no external HTTP requests, which are all positive security indicators. The absence of vulnerability history, including known CVEs, suggests a good track record for this plugin. However, the analysis does highlight a significant concern: 100% of output is not properly escaped, which presents a notable risk of Cross-Site Scripting (XSS) vulnerabilities if any dynamic data is outputted to the user. While the plugin has a small attack surface and no recorded historical vulnerabilities, the lack of output escaping is a critical oversight that needs immediate attention. This single weakness could be exploited to inject malicious scripts, compromising user sessions or defacing the website.

Key Concerns

100% of outputs are not properly escaped

Vulnerabilities

None known

AP Gravatars Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

AP Gravatars Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped1 total outputs

Attack Surface

AP Gravatars Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 2

actionshow_user_profileap-gravatars.php:83

actionedit_user_profileap-gravatars.php:84

Maintenance & Trust

AP Gravatars Maintenance & Trust

Maintenance Signals

WordPress version tested3.3.2

Last updatedApr 25, 2012

PHP min version

Downloads12K

Community Trust

Rating0/100

Number of ratings0

Active installs200

Alternatives

AP Gravatars Alternatives

Advanced User Avatar | Custom Profile Picture Uploader for WordPress, WooCommerce, and BuddyPress

wpmake-advance-user-avatar

100

Adds an avatar upload field through a simple shortcode or block to let your site users upload a custom profile picture (avatar) directly from their de …

200 No CVEs