Faces of Users Security & Risk Analysis

wordpress.org/plugins/faces-of-users

Display registered users Gravatars on a single page with shortcode.

10 active installs v0.0.3 PHP + WP 2.7+ Updated May 25, 2010
fungravatarsshortcodetacosusers
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEMay 19, 2026
Safety Verdict

Is Faces of Users Safe to Use in 2026?

Use With Caution

Score 63/100

Faces of Users has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: May 19, 2026Updated 16yr ago
Risk Assessment

The "faces-of-users" plugin v0.0.3 exhibits a generally good security posture based on the provided static analysis. The absence of critical or high severity taint flows, dangerous functions, file operations, and properly escaped output are significant strengths. Furthermore, the lack of any recorded vulnerabilities in its history suggests a stable and well-maintained codebase. The plugin also boasts a very small attack surface, with only one shortcode as an entry point, and importantly, no unprotected entry points detected.

However, there are areas for concern that prevent a perfect score. The plugin utilizes raw SQL queries without prepared statements, which is a significant risk. While the static analysis did not detect unsanitized paths or critical taint flows in this instance, un-prepared SQL queries are a common vector for SQL injection vulnerabilities if user input is ever incorporated indirectly or directly into these queries. The lack of nonce checks and capability checks on its single shortcode is also a notable weakness. While it's not an AJAX or REST API endpoint, shortcodes can still be triggered in various ways, and without proper authorization or nonce validation, they could potentially be exploited.

In conclusion, the plugin has a solid foundation with minimal known risks and a clean vulnerability history. The primary areas for improvement lie in addressing the use of raw SQL and implementing proper authorization and nonce checks for its shortcode. Addressing these would elevate its security significantly.

Key Concerns

  • Raw SQL queries without prepared statements
  • Missing nonce checks on shortcode
  • Missing capability checks on shortcode
Vulnerabilities
1 published

Faces of Users Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8038medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute

May 19, 2026Unpatched
Version History

Faces of Users Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Faces of Users Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
0 prepared
Unescaped Output
0
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

0% prepared2 total queries
Attack Surface

Faces of Users Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[facesofusers] faces-of.php:19
WordPress Hooks 4
actiondelete_userfaces-of.php:85
actionedit_user_profilefaces-of.php:86
actionprofile_updatefaces-of.php:87
actionuser_registerfaces-of.php:88
Maintenance & Trust

Faces of Users Maintenance & Trust

Maintenance Signals

WordPress version tested2.9.2
Last updatedMay 25, 2010
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Faces of Users Developer Profile

Matt McInvale

5 plugins · 1K total installs

77
trust score
Avg Security Score
76/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Faces of Users

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/faces-of-users/faces-of.css

HTML / DOM Fingerprints

CSS Classes
facesofusers
Data Attributes
id="facesofusers"
Shortcode Output
[facesofusers]<div class="facesofusers"><img src="http://www.gravatar.com/avatar/<a href="
FAQ

Frequently Asked Questions about Faces of Users