WP-Safety

User Profile Picture Security & Risk Analysis

wordpress.org/plugins/metronet-profile-picture

Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.

40K active installs v2.6.3 PHP 5.6+ WP 4.6+ Updated Jul 18, 2024
avatarblocksgravataruser-profileusers
91
A · Safe
CVEs total1
Unpatched0
Last CVEJun 20, 2024
Plugin page Download
Safety Verdict

Is User Profile Picture Safe to Use in 2026?

Generally Safe

Score 91/100

User Profile Picture has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 20, 2024Updated 1yr ago
Risk Assessment

The "metronet-profile-picture" v2.6.3 plugin exhibits a generally good security posture with several positive indicators. The extensive use of prepared statements for SQL queries and a very high percentage of properly escaped output are commendable practices. Furthermore, the absence of dangerous functions, file operations, and external HTTP requests are strong points. The presence of a significant number of nonce and capability checks also suggests a proactive approach to securing its functionalities. However, there are notable areas of concern, particularly regarding the attack surface. Two of the five REST API routes lack permission callbacks, creating potential entry points for unauthorized access. The taint analysis, while limited in scope (only two flows analyzed), identified two flows with unsanitized paths, although they were not classified as critical or high severity. The vulnerability history reveals one past medium-severity CVE related to "Authorization Bypass Through User-Controlled Key," which, while patched, highlights a historical weakness in access control logic that warrants continued vigilance. Overall, while the plugin has strong defensive coding practices, the unprotected REST API routes and past authorization bypass vulnerability indicate areas that require attention to fully mitigate risks.

Key Concerns

  • REST API routes without permission callbacks
  • Flows with unsanitized paths
  • Past medium severity CVE
Vulnerabilities
1

User Profile Picture Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-5639medium · 4.3Authorization Bypass Through User-Controlled Key

User Profile Picture <= 2.6.1 - Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update

Jun 20, 2024 Patched in 2.6.2 (1d)
Code Analysis
Analyzed Mar 16, 2026

User Profile Picture Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
15
423 escaped
Nonce Checks
6
Capability Checks
12
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

97% escaped438 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
<metronet-profile-picture> (metronet-profile-picture.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

User Profile Picture Attack Surface

Entry Points8
Unprotected2

AJAX Handlers 3

authwp_ajax_metronet_add_thumbnailmetronet-profile-picture.php:92
authwp_ajax_metronet_get_thumbnailmetronet-profile-picture.php:93
authwp_ajax_metronet_remove_thumbnailmetronet-profile-picture.php:94

REST API Routes 5

POST/wp-json/mpp/v2/profile-image/memetronet-profile-picture.php:980
POST/wp-json/mpp/v2/profile-image/changemetronet-profile-picture.php:989
POST/wp-json/mpp/v2/get_usersmetronet-profile-picture.php:1000
POST/wp-json/mpp/v2/get_postsmetronet-profile-picture.php:1009
GET/wp-json/mpp/v1/user/(?P<id>\d+)metronet-profile-picture.php:1019
WordPress Hooks 26
actioninitgutenberg\class-gutenberg.php:28
actionenqueue_block_assetsgutenberg\class-gutenberg.php:29
actionenqueue_block_editor_assetsgutenberg\class-gutenberg.php:30
actionadmin_footergutenberg\class-gutenberg.php:31
actioninitmetronet-profile-picture.php:77
actionpersonal_optionsmetronet-profile-picture.php:78
actionadmin_print_scripts-user-edit.phpmetronet-profile-picture.php:81
actionadmin_print_scripts-profile.phpmetronet-profile-picture.php:82
actionwp_enqueue_scriptsmetronet-profile-picture.php:84
actionacf/input/admin_enqueue_scriptsmetronet-profile-picture.php:85
actionadmin_print_styles-user-edit.phpmetronet-profile-picture.php:88
actionadmin_print_styles-profile.phpmetronet-profile-picture.php:89
actionedit_user_profile_updatemetronet-profile-picture.php:97
actionpersonal_options_updatemetronet-profile-picture.php:98
filterget_avatarmetronet-profile-picture.php:101
filterpre_get_avatar_datametronet-profile-picture.php:102
actionrest_api_initmetronet-profile-picture.php:105
filtermpp_hide_avatar_overridemetronet-profile-picture.php:108
filterblock_categories_allmetronet-profile-picture.php:116
filterblock_categoriesmetronet-profile-picture.php:118
actionadmin_menumetronet-profile-picture.php:706
actionplugins_loadedmetronet-profile-picture.php:1341
actionwp_footermetronet-profile-picture.php:1673
actionadmin_noticesprofile-builder-transition.php:35
actionadmin_initprofile-builder-transition.php:36
actionadmin_initprofile-builder-transition.php:37
Maintenance & Trust

User Profile Picture Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedJul 18, 2024
PHP min version5.6
Downloads1.0M

Community Trust

Rating92/100
Number of ratings59
Active installs40K
Alternatives

User Profile Picture Alternatives

Basic User Avatars

Basic User Avatars

basic-user-avatars

A
92

Add an avatar upload field on frontend pages and Edit Profile screen so users can add a custom profile picture.

20K No CVEs
One User Avatar | User Profile Picture

One User Avatar | User Profile Picture

one-user-avatar

A
99

Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.

100K 2 CVEs
Simple Local Avatars

Simple Local Avatars

simple-local-avatars

A
93

Adds an avatar upload field to user profiles. Generates requested sizes on demand just like Gravatar!

100K 6 CVEs
Avatar Manager

Avatar Manager

avatar-manager

A
85

Avatar Manager for WordPress is a sweet and simple plugin for storing avatars locally and more. Easily.

6K No CVEs
User Profile Picture

User Profile Picture

users-profile-picture

A
91

Set a custom profile image for a user using the standard WordPress media upload tool.

4K 2 CVEs
Developer Profile

User Profile Picture Developer Profile

Cozmoslabs

11 plugins · 520K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
634 days
View full developer profile
Detection Fingerprints

How We Detect User Profile Picture

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/metronet-profile-picture/assets/css/admin.css/wp-content/plugins/metronet-profile-picture/assets/js/admin.js/wp-content/plugins/metronet-profile-picture/assets/js/mpp-gutenberg-editor.js/wp-content/plugins/metronet-profile-picture/assets/css/gutenberg.css
Script Paths
/wp-content/plugins/metronet-profile-picture/assets/js/admin.js/wp-content/plugins/metronet-profile-picture/gutenberg/class-gutenberg.php
Version Parameters
metronet-profile-picture/assets/css/admin.css?ver=metronet-profile-picture/assets/js/admin.js?ver=metronet-profile-picture/assets/js/mpp-gutenberg-editor.js?ver=metronet-profile-picture/assets/css/gutenberg.css?ver=

HTML / DOM Fingerprints

CSS Classes
mpp-gutenberg-editor-containermpp-gutenberg-editor-preview
Data Attributes
data-mpp-user-id
JS Globals
metronet_profile_picture_ajax_object
REST Endpoints
/wp-json/mpp/v1/get-profile-picture/wp-json/mpp/v1/upload-profile-picture
FAQ

Frequently Asked Questions about User Profile Picture