WP-Safety

One User Avatar | User Profile Picture Security & Risk Analysis

wordpress.org/plugins/one-user-avatar

Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.

100K active installs v2.5.4 PHP + WP 4.0+ Updated Jan 12, 2026
avatarbbpressgravatarprofileusers
99
A · Safe
CVEs total2
Unpatched0
Last CVESep 20, 2021
Plugin page Download
Safety Verdict

Is One User Avatar | User Profile Picture Safe to Use in 2026?

Generally Safe

Score 99/100

One User Avatar | User Profile Picture has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Sep 20, 2021Updated 2mo ago
Risk Assessment

The one-user-avatar plugin version 2.5.4 exhibits a generally good security posture with several strengths. The code analysis reveals a strong adherence to secure coding practices, with 100% of SQL queries utilizing prepared statements and a high rate (97%) of properly escaped output. The absence of dangerous functions, file operations, and critical/high severity taint flows is also a positive indicator. Furthermore, the plugin demonstrates a commitment to security by including nonce checks and capability checks, and all previously known CVEs are patched.

However, a key concern arises from the presence of one unprotected AJAX handler, representing a significant entry point without authentication. While the total attack surface is relatively small, this single unprotected handler poses a risk that could be exploited by unauthenticated users. The vulnerability history, though all CVEs are patched, does show a pattern of medium severity vulnerabilities, specifically CSRF and XSS, indicating that past issues have existed in input validation and output sanitization, even if the current version appears to have addressed them. The presence of TinyMCE as a bundled library, while common, could introduce risks if it is an outdated version, though this is not explicitly stated in the provided data.

In conclusion, the plugin has made significant strides in security, particularly in its handling of database interactions and output. The primary area for improvement and continued vigilance is the protection of all entry points, specifically the AJAX handlers, to prevent potential unauthorized actions. The past vulnerability history, while resolved, suggests that ongoing security reviews and rigorous testing are crucial for this plugin.

Key Concerns

  • Unprotected AJAX handler present
  • Medium severity vulnerability history (CSRF, XSS)
Vulnerabilities
2

One User Avatar | User Profile Picture Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2021-24675medium · 6.5Cross-Site Request Forgery (CSRF)

One User Avatar <= 2.3.6 - Cross-Site Request Forgery

Sep 20, 2021 Patched in 2.3.7 (855d)
CVE-2021-24672medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

One User Avatar <= 2.3.6 - Stored Cross-Site Scripting

Sep 20, 2021 Patched in 2.3.7 (855d)
Code Analysis
Analyzed Mar 16, 2026

One User Avatar | User Profile Picture Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
8 prepared
Unescaped Output
10
296 escaped
Nonce Checks
2
Capability Checks
18
File Operations
0
External Requests
1
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared8 total queries

Output Escaping

97% escaped306 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
wpua_bulk_actions (includes\class-wp-user-avatar-admin.php:89)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

One User Avatar | User Profile Picture Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 1

authwp_ajax_wp_user_avatar_tinymceincludes\wpua-tinymce.php:87

Shortcodes 2

[avatar] includes\class-wp-user-avatar-shortcode.php:28
[avatar_upload] includes\class-wp-user-avatar-shortcode.php:29
WordPress Hooks 70
actionadmin_enqueue_scriptsincludes\class-wp-user-avatar-admin.php:32
actionload-avatars_page_wp-user-avatar-libraryincludes\class-wp-user-avatar-admin.php:35
actionadmin_initincludes\class-wp-user-avatar-admin.php:41
actionadmin_menuincludes\class-wp-user-avatar-admin.php:42
filterdefault_avatar_selectincludes\class-wp-user-avatar-admin.php:45
filterallowed_optionsincludes\class-wp-user-avatar-admin.php:48
filterwhitelist_optionsincludes\class-wp-user-avatar-admin.php:50
filterplugin_action_linksincludes\class-wp-user-avatar-admin.php:54
filterplugin_row_metaincludes\class-wp-user-avatar-admin.php:55
filtermanage_users_columnsincludes\class-wp-user-avatar-admin.php:59
filtermanage_users_custom_columnincludes\class-wp-user-avatar-admin.php:60
filterdisplay_media_statesincludes\class-wp-user-avatar-admin.php:64
filterset-screen-optionincludes\class-wp-user-avatar-admin.php:236
filterget_avatarincludes\class-wp-user-avatar-admin.php:390
filterget_avatar_urlincludes\class-wp-user-avatar-admin.php:391
actioninitincludes\class-wp-user-avatar-admin.php:597
filterget_avatarincludes\class-wp-user-avatar-functions.php:24
filterget_avatar_urlincludes\class-wp-user-avatar-functions.php:26
filterbp_core_fetch_avatarincludes\class-wp-user-avatar-functions.php:29
filterbp_core_fetch_avatar_urlincludes\class-wp-user-avatar-functions.php:32
actioninitincludes\class-wp-user-avatar-functions.php:35
filterthe_contentincludes\class-wp-user-avatar-functions.php:38
filterget_avatarincludes\class-wp-user-avatar-functions.php:747
filterget_avatar_urlincludes\class-wp-user-avatar-functions.php:748
actionplugins_loadedincludes\class-wp-user-avatar-functions.php:1089
filterthe_titleincludes\class-wp-user-avatar-list-table.php:385
actioninitincludes\class-wp-user-avatar-resource-manager.php:40
actionwp_footerincludes\class-wp-user-avatar-resource-manager.php:41
actionwp_print_footer_scriptsincludes\class-wp-user-avatar-resource-manager.php:97
actionadmin_print_footer_scriptsincludes\class-wp-user-avatar-resource-manager.php:98
actionshutdownincludes\class-wp-user-avatar-resource-manager.php:100
actionwpua_show_profileincludes\class-wp-user-avatar-shortcode.php:32
actionwpua_show_profileincludes\class-wp-user-avatar-shortcode.php:33
actionwpua_updateincludes\class-wp-user-avatar-shortcode.php:34
actionwpua_update_errorsincludes\class-wp-user-avatar-shortcode.php:37
actioninitincludes\class-wp-user-avatar-shortcode.php:330
actionuser_edit_form_tagincludes\class-wp-user-avatar-subscriber.php:31
actionadmin_initincludes\class-wp-user-avatar-subscriber.php:34
actioninitincludes\class-wp-user-avatar-subscriber.php:84
actionadmin_initincludes\class-wp-user-avatar-update.php:30
actionadmin_initincludes\class-wp-user-avatar-update.php:34
actionadmin_initincludes\class-wp-user-avatar-update.php:38
actioninitincludes\class-wp-user-avatar-update.php:150
filterwpua_profile_titleincludes\class-wp-user-avatar-widget.php:74
actionshow_user_profileincludes\class-wp-user-avatar.php:38
actionedit_user_profileincludes\class-wp-user-avatar.php:39
actionpersonal_options_updateincludes\class-wp-user-avatar.php:41
actionedit_user_profile_updateincludes\class-wp-user-avatar.php:42
actionuser_new_formincludes\class-wp-user-avatar.php:44
actionuser_registerincludes\class-wp-user-avatar.php:45
filteruser_profile_picture_descriptionincludes\class-wp-user-avatar.php:47
actionadmin_enqueue_scriptsincludes\class-wp-user-avatar.php:53
actionshow_user_profileincludes\class-wp-user-avatar.php:58
actionedit_user_profileincludes\class-wp-user-avatar.php:59
actionuser_profile_update_errorsincludes\class-wp-user-avatar.php:64
filterwp_handle_upload_prefilterincludes\class-wp-user-avatar.php:67
filtermedia_view_settingsincludes\class-wp-user-avatar.php:71
actionuser_profile_update_errorsincludes\class-wp-user-avatar.php:445
actioninitincludes\class-wp-user-avatar.php:699
actionwpua_before_avatarincludes\wpua-functions.php:132
actionwpua_after_avatarincludes\wpua-functions.php:160
actionwpua_before_avatar_adminincludes\wpua-functions.php:193
actionwpua_after_avatar_adminincludes\wpua-functions.php:206
actionwidgets_initincludes\wpua-functions.php:216
filtermce_external_pluginsincludes\wpua-tinymce.php:26
filtermce_buttonsincludes\wpua-tinymce.php:27
actioninitincludes\wpua-tinymce.php:30
actionadmin_enqueue_scriptsincludes\wpua-tinymce.php:76
actionadmin_noticesone-user-avatar.php:129
actionplugins_loadedone-user-avatar.php:227
Maintenance & Trust

One User Avatar | User Profile Picture Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 12, 2026
PHP min version
Downloads491K

Community Trust

Rating94/100
Number of ratings41
Active installs100K
Alternatives

One User Avatar | User Profile Picture Alternatives

Simple Local Avatars

Simple Local Avatars

simple-local-avatars

A
93

Adds an avatar upload field to user profiles. Generates requested sizes on demand just like Gravatar!

100K 6 CVEs
User Profile Picture

User Profile Picture

metronet-profile-picture

A
91

Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.

40K 1 CVE
Basic User Avatars

Basic User Avatars

basic-user-avatars

A
92

Add an avatar upload field on frontend pages and Edit Profile screen so users can add a custom profile picture.

20K No CVEs
Avatar Manager

Avatar Manager

avatar-manager

A
85

Avatar Manager for WordPress is a sweet and simple plugin for storing avatars locally and more. Easily.

6K No CVEs
User Profile Picture

User Profile Picture

users-profile-picture

A
91

Set a custom profile image for a user using the standard WordPress media upload tool.

4K 2 CVEs
Developer Profile

One User Avatar | User Profile Picture Developer Profile

One Designs

1 plugin · 100K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
855 days
View full developer profile
Detection Fingerprints

How We Detect One User Avatar | User Profile Picture

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/one-user-avatar/assets/css/wp-user-avatar-admin.css/wp-content/plugins/one-user-avatar/assets/css/wp-user-avatar-public.css/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-admin.js/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-admin-media.js/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-media.js/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-public.js
Script Paths
/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-admin.js/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-admin-media.js/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-media.js/wp-content/plugins/one-user-avatar/assets/js/wp-user-avatar-public.js
Version Parameters
one-user-avatar/assets/css/wp-user-avatar-admin.css?ver=one-user-avatar/assets/css/wp-user-avatar-public.css?ver=one-user-avatar/assets/js/wp-user-avatar-admin.js?ver=one-user-avatar/assets/js/wp-user-avatar-admin-media.js?ver=one-user-avatar/assets/js/wp-user-avatar-media.js?ver=one-user-avatar/assets/js/wp-user-avatar-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpua-custom-avatarwpua-upload-wrapwpua-avatar-formwpua-avatar-settingswpua-default-avatar
HTML Comments
<!-- One User Avatar --><!-- Default Avatar --><!-- Upload Avatar --><!-- User Avatar Settings -->
Data Attributes
data-wpua-iddata-wpua-actiondata-wpua-nonce
JS Globals
wp_user_avatar_params
REST Endpoints
/wp-json/one-user-avatar/v1/upload/wp-json/one-user-avatar/v1/settings
Shortcode Output
[one_user_avatar][user_avatar]
FAQ

Frequently Asked Questions about One User Avatar | User Profile Picture