Does Author Avatars List/Block have any unpatched vulnerabilities?

No. All known vulnerabilities in Author Avatars List/Block have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Author Avatars List/Block compatible with WordPress 6.9.0?

According to WordPress.org data, Author Avatars List/Block 2.1.25 has been tested up to WordPress 6.9.0. Check the plugin's changelog for the latest compatibility information.

How often is Author Avatars List/Block updated?

Author Avatars List/Block was last updated on Nov 28, 2025. Frequent updates are generally a positive security signal.

What is Author Avatars List/Block's security score?

Author Avatars List/Block has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Author Avatars List/Block Security & Risk Analysis

wordpress.org/plugins/author-avatars

Display lists of user avatars using widgets or shortcodes. With Gutenberg support.

4K active installs v2.1.25 PHP + WP 3.0+ Updated Nov 28, 2025

authoravatarblockimageprofile

A · Safe

CVEs total3

Unpatched0

Last CVEJan 7, 2025

Plugin page Download

Safety Verdict

Is Author Avatars List/Block Safe to Use in 2026?

Generally Safe

Score 98/100

Author Avatars List/Block has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jan 7, 2025Updated 4mo ago

Risk Assessment

The author-avatars v2.1.25 plugin exhibits a generally good security posture based on the static analysis. The plugin demonstrates a commitment to secure coding practices by utilizing prepared statements for all SQL queries and properly escaping the vast majority of its output. The absence of dangerous functions, file operations, and external HTTP requests further strengthens its security. Crucially, all identified entry points (AJAX handlers) have nonce checks, a vital layer of protection against CSRF attacks.

Key Concerns

No capability checks on AJAX handlers
Bundled TinyMCE library
Medium severity CVEs in history

Vulnerabilities

Author Avatars List/Block Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-22804medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Author Avatars List/Block <= 2.1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 7, 2025 Patched in 2.1.24 (8d)

CVE-2024-47370medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Author Avatars List/Block <= 2.1.21 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 2.1.22 (11d)

CVE-2023-49846medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Author Avatars List/Block <= 2.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 6, 2023 Patched in 2.1.18 (48d)

Code Analysis

Analyzed Mar 16, 2026

Author Avatars List/Block Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

20 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

Output Escaping

95% escaped21 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

AA_shortcode_paging (author-avatars.php:30)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Author Avatars List/Block Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_AA_shortcode_pagingauthor-avatars.php:27

noprivwp_ajax_AA_shortcode_pagingauthor-avatars.php:28

WordPress Hooks 5

actioninitblocks\init.php:108

actionenqueue_block_editor_assetsblocks\init.php:238

actionenqueue_block_assetsblocks\src\init.php:41

actionenqueue_block_editor_assetsblocks\src\init.php:78

actioninitblocks\src\show-avatar\class-render.php:20

Maintenance & Trust

Author Avatars List/Block Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0

Last updatedNov 28, 2025

PHP min version

Downloads379K

Community Trust

Rating96/100

Number of ratings32

Active installs4K

Alternatives

Author Avatars List/Block Alternatives

User Avatar – Reloaded

user-avatar-reloaded

Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.

900 1 unpatched

WP Custom Author Image

author-image

Lets you easily add WP Custom Author Images on your site.

100 No CVEs

User Profile Picture

metronet-profile-picture

Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.

40K 1 CVE

Meks Smart Author Widget

meks-smart-author-widget

Easily display your author/user profile info inside WordPress widget.

10K 1 CVE

Ultimate Post List

ultimate-post-list

100

Make up custom-tailored preview lists of the contents easily and place them in widget areas and post contents.

2K No CVEs

Developer Profile

Author Avatars List/Block Developer Profile

Paul Bearne

6 plugins · 5K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

22 days

View full developer profile

Detection Fingerprints

How We Detect Author Avatars List/Block

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/author-avatars/build/show-avatar/style-block.css/wp-content/plugins/author-avatars/build/show-avatar/block.js/wp-content/plugins/author-avatars/build/show-avatar/block.css

Script Paths

/wp-content/plugins/author-avatars/build/show-avatar/block.js

HTML / DOM Fingerprints

CSS Classes

shortcode-author-avatars

Data Attributes

data-aa-action

JS Globals

authorAvatars

Shortcode Output

<div class="shortcode-author-avatars">

FAQ