Does Customize Random Avatar have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Customize Random Avatar compatible with WordPress 5.5.18?

According to WordPress.org data, Customize Random Avatar 3.0.0 has been tested up to WordPress 5.5.18. Check the plugin's changelog for the latest compatibility information.

How often is Customize Random Avatar updated?

Customize Random Avatar was last updated on Sep 9, 2020. Frequent updates are generally a positive security signal.

What is Customize Random Avatar's security score?

Customize Random Avatar has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Customize Random Avatar Security & Risk Analysis

wordpress.org/plugins/random-avatars-of-user

This 'Customize Random Avatar' plugin allows the WordPress site/blog owner and its registered users to add 3 profile images of their profile …

10 active installs v3.0.0 PHP + WP 3.8+ Updated Sep 9, 2020

chnage-avatarchoose-custom-avatarcustomize-random-avatarrandom-avatarupdate-custom-avatar

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Customize Random Avatar Safe to Use in 2026?

Generally Safe

Score 85/100

Customize Random Avatar has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago

Risk Assessment

The 'random-avatars-of-user' v3.0.0 plugin exhibits a mixed security posture. While it has a zero attack surface from readily identifiable entry points like AJAX handlers, REST API routes, shortcodes, and cron events, and all SQL queries are prepared, significant concerns arise from the code analysis.

The presence of 'move_uploaded_file' without any apparent authorization or nonce checks is a critical risk. This function, when used without proper validation, can lead to arbitrary file uploads, potentially allowing attackers to upload malicious scripts or overwrite existing files. The taint analysis revealing flows with unsanitized paths further exacerbates this risk, suggesting that user-supplied input might be directly influencing file operations without sufficient sanitization or validation.

The plugin's vulnerability history is clean, with no recorded CVEs. This is a positive indicator, suggesting that the developers have either been diligent in avoiding common vulnerabilities or that the plugin's limited functionality hasn't attracted significant scrutiny. However, the lack of historical vulnerabilities does not negate the immediate risks identified in the static analysis. The absence of capability checks and nonce checks on sensitive functions like file operations is a major oversight that needs immediate attention.

Key Concerns

Dangerous function 'move_uploaded_file' found
Flows with unsanitized paths found
Missing capability checks
Missing nonce checks
Low output escaping percentage (18%)

Vulnerabilities

None known

Customize Random Avatar Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Customize Random Avatar Release Timeline

v2.0.0

v1.0.0

Code Analysis

Analyzed Apr 16, 2026

Customize Random Avatar Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

move_uploaded_filemove_uploaded_file($_FILES['avatar1']['tmp_name'], $path . "/" . $user_img1);display-user-avatar.php:206

move_uploaded_filemove_uploaded_file($_FILES['avatar2']['tmp_name'], $path . "/" . $user_img2);display-user-avatar.php:219

move_uploaded_filemove_uploaded_file($_FILES['avatar3']['tmp_name'], $path . "/" . $user_img3);display-user-avatar.php:232

Output Escaping

18% escaped11 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

bc_get_avatar (display-user-avatar.php:22)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Customize Random Avatar Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 8

actioninitdisplay-user-avatar.php:18

actionshow_user_profiledisplay-user-avatar.php:19

actionedit_user_profiledisplay-user-avatar.php:20

actionpersonal_options_updatedisplay-user-avatar.php:177

actionuser_profile_update_errorsdisplay-user-avatar.php:209

actionuser_profile_update_errorsdisplay-user-avatar.php:221

actionuser_profile_update_errorsdisplay-user-avatar.php:234

actionget_avatardisplay-user-avatar.php:353

Maintenance & Trust

Customize Random Avatar Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18

Last updatedSep 9, 2020

PHP min version

Downloads3K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Customize Random Avatar Alternatives

No alternatives data available yet.

Developer Profile

Customize Random Avatar Developer Profile

AppJetty

9 plugins · 830 total installs

trust score

Avg Security Score

83/100

Avg Patch Time

396 days

View full developer profile

Detection Fingerprints

How We Detect Customize Random Avatar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/random-avatars-of-user/css/style.css

Version Parameters

random-avatars-of-user/css/style.css?ver=

HTML / DOM Fingerprints

CSS Classes

dua-table

Data Attributes

id="remove_1"id="avatar1"id="avatar_1_val"id="remove_2"id="avatar2"id="avatar_2_val"+3 more

FAQ