Does Author Avatars List/Block have any unpatched vulnerabilities?

Yes — Author Avatars List/Block currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Author Avatars List/Block compatible with WordPress 6.9.0?

According to WordPress.org data, Author Avatars List/Block 2.1.25 has been tested up to WordPress 6.9.0. Check the plugin's changelog for the latest compatibility information.

How often is Author Avatars List/Block updated?

Author Avatars List/Block was last updated on Nov 28, 2025. Frequent updates are generally a positive security signal.

What is Author Avatars List/Block's security score?

Author Avatars List/Block has a WP-Safety security score of 72/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Author Avatars List/Block Security & Risk Analysis

wordpress.org/plugins/author-avatars

Display lists of user avatars using widgets or shortcodes. With Gutenberg support.

4K active installs v2.1.25 PHP + WP 3.0+ Updated Nov 28, 2025

authoravatarblockimageprofile

B · Generally Safe

CVEs total4

Unpatched1

Last CVEFeb 23, 2026

Plugin page Download

Safety Verdict

Is Author Avatars List/Block Safe to Use in 2026?

Mostly Safe

Score 72/100

Author Avatars List/Block is generally safe to use. 4 past CVEs were resolved.

4 known CVEs 1 unpatched Last CVE: Feb 23, 2026Updated 5mo ago

Risk Assessment

The author-avatars v2.1.25 plugin exhibits a generally good security posture based on the static analysis. The plugin demonstrates a commitment to secure coding practices by utilizing prepared statements for all SQL queries and properly escaping the vast majority of its output. The absence of dangerous functions, file operations, and external HTTP requests further strengthens its security. Crucially, all identified entry points (AJAX handlers) have nonce checks, a vital layer of protection against CSRF attacks.

Key Concerns

No capability checks on AJAX handlers
Bundled TinyMCE library
Medium severity CVEs in history

Vulnerabilities

4 published

Author Avatars List/Block Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2026-39690medium · 5.3Missing Authorization

Author Avatars List/Block <= 2.1.25 - Missing Authorization

Feb 23, 2026Unpatched

CVE-2025-22804medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Author Avatars List/Block <= 2.1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 7, 2025 Patched in 2.1.24 (8d)

CVE-2024-47370medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Author Avatars List/Block <= 2.1.21 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 2.1.22 (11d)

CVE-2023-49846medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Author Avatars List/Block <= 2.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 6, 2023 Patched in 2.1.18 (48d)

Version History

Author Avatars List/Block Release Timeline

v2.1.25Current1 CVE

CVE-2026-39690

v2.1.241 CVE

CVE-2026-39690

v2.1.232 CVEs

CVE-2025-22804 CVE-2026-39690

v2.1.222 CVEs

CVE-2025-22804 CVE-2026-39690

v2.1.213 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690

v2.1.203 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690

v2.1.193 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690

v2.1.183 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690

v2.1.174 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.164 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.154 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.144 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.134 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.124 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.114 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.104 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.94 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.84 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.44 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

v2.1.24 CVEs

CVE-2025-22804 CVE-2024-47370 CVE-2026-39690 +1 more

Code Analysis

Analyzed Mar 16, 2026

Author Avatars List/Block Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

20 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

Output Escaping

95% escaped21 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

2 flows

AA_shortcode_paging (author-avatars.php:30)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Author Avatars List/Block Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_AA_shortcode_pagingauthor-avatars.php:27

noprivwp_ajax_AA_shortcode_pagingauthor-avatars.php:28

WordPress Hooks 5

actioninitblocks\init.php:108

actionenqueue_block_editor_assetsblocks\init.php:238

actionenqueue_block_assetsblocks\src\init.php:41

actionenqueue_block_editor_assetsblocks\src\init.php:78

actioninitblocks\src\show-avatar\class-render.php:20

Maintenance & Trust

Author Avatars List/Block Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0

Last updatedNov 28, 2025

PHP min version

Downloads380K

Community Trust

Rating96/100

Number of ratings32

Active installs4K

Alternatives

Author Avatars List/Block Alternatives

User Avatar – Reloaded

user-avatar-reloaded

Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.

900 1 unpatched

WP Custom Author Image

author-image

Lets you easily add WP Custom Author Images on your site.

100 No CVEs

User Profile Picture

metronet-profile-picture

Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.

40K 1 CVE

Meks Smart Author Widget

meks-smart-author-widget

Easily display your author/user profile info inside WordPress widget.

10K 1 CVE

Gosign – Contact Person Box Block

gosign-contact-person-box-block

This plugin enables you to customize the contact person box block with title, discription phone number and many other options.

1K No CVEs

Developer Profile

Author Avatars List/Block Developer Profile

Paul Bearne

6 plugins · 5K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

22 days

View full developer profile

Detection Fingerprints

How We Detect Author Avatars List/Block

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/author-avatars/build/show-avatar/style-block.css/wp-content/plugins/author-avatars/build/show-avatar/block.js/wp-content/plugins/author-avatars/build/show-avatar/block.css

Script Paths

/wp-content/plugins/author-avatars/build/show-avatar/block.js

HTML / DOM Fingerprints

CSS Classes

shortcode-author-avatars

Data Attributes

data-aa-action

JS Globals

authorAvatars

Shortcode Output

<div class="shortcode-author-avatars">

FAQ

Author Avatars List/Block Security & Risk Analysis

Is Author Avatars List/Block Safe to Use in 2026?

Mostly Safe

Key Concerns

Author Avatars List/Block Security Vulnerabilities

CVEs by Year

Severity Breakdown

Author Avatars List/Block Release Timeline

Author Avatars List/Block Code Analysis

Bundled Libraries

Output Escaping

Data Flow Analysis

Author Avatars List/Block Attack Surface

AJAX Handlers 2

Author Avatars List/Block Maintenance & Trust

Maintenance Signals

Community Trust

Author Avatars List/Block Alternatives

User Avatar – Reloaded

WP Custom Author Image

User Profile Picture

Meks Smart Author Widget

Gosign – Contact Person Box Block

Author Avatars List/Block Developer Profile

How We Detect Author Avatars List/Block

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Author Avatars List/Block