[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx4ayEzSTrKpX3-6dn7Hwxyu4nixK5EQcXNnrHRlDvQE":3,"$f_eGQbHivIGnh9aOom1df7G0DL1tDF-fFLPtwr7prH70":182,"$fg1WhXhmzy14xTDofO6A7Lb67hB_mhSGjzoK1Vr9RE4o":187},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":17,"download_link":24,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":38,"analysis":39,"fingerprints":157},"random-avatars-of-user","Customize Random Avatar","3.0.0","AppJetty","https:\u002F\u002Fprofiles.wordpress.org\u002Fbiztechc\u002F","\u003Col>\n\u003Cli>This plug-in displays three user’s avatars randomly.\u003C\u002Fli>\n\u003Cli>Admin\u002Fusers can upload three different avatars in their profile page.\u003C\u002Fli>\n\u003Cli>Admin\u002Fusers can select any avatar from the three.\u003C\u002Fli>\n\u003Cli>In the comment section, avatars will display randomly, if selected all.\u003Cbr \u002F>\nSome theme have different function for calling user’s avatar at that time this plugin is not usefull.b\u003C\u002Fli>\n\u003C\u002Fol>\n","This 'Customize Random Avatar' plugin allows the WordPress site\u002Fblog owner and its registered users to add 3 profile images of their profile …",10,2512,0,"2020-09-09T09:33:00.000Z","5.5.18","3.8","",[19,20,21,22,23],"chnage-avatar","choose-custom-avatar","customize-random-avatar","random-avatar","update-custom-avatar","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frandom-avatars-of-user.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"biztechc",9,830,83,396,67,"2026-05-20T00:34:34.736Z",[],{"attackSurface":40,"codeSignals":75,"taintFlows":112,"riskAssessment":141,"analyzedAt":156},{"hooks":41,"ajaxHandlers":71,"restRoutes":72,"shortcodes":73,"cronEvents":74,"entryPointCount":13,"unprotectedCount":13},[42,48,52,55,59,63,65,67],{"type":43,"name":44,"callback":45,"file":46,"line":47},"action","init","dispaly_avatar_style","display-user-avatar.php",18,{"type":43,"name":49,"callback":50,"file":46,"line":51},"show_user_profile","bc_get_avatar",19,{"type":43,"name":53,"callback":50,"file":46,"line":54},"edit_user_profile",20,{"type":43,"name":56,"callback":57,"file":46,"line":58},"personal_options_update","bc_add_avatar",177,{"type":43,"name":60,"callback":61,"file":46,"line":62},"user_profile_update_errors","validate_steamid_field",209,{"type":43,"name":60,"callback":61,"file":46,"line":64},221,{"type":43,"name":60,"callback":61,"file":46,"line":66},234,{"type":43,"name":68,"callback":69,"file":46,"line":70},"get_avatar","my_avatar",353,[],[],[],[],{"dangerousFunctions":76,"sqlUsage":87,"outputEscaping":89,"fileOperations":90,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":111},[77,81,84],{"fn":78,"file":46,"line":79,"context":80},"move_uploaded_file",206,"move_uploaded_file($_FILES['avatar1']['tmp_name'], $path . \"\u002F\" . $user_img1);",{"fn":78,"file":46,"line":82,"context":83},219,"move_uploaded_file($_FILES['avatar2']['tmp_name'], $path . \"\u002F\" . $user_img2);",{"fn":78,"file":46,"line":85,"context":86},232,"move_uploaded_file($_FILES['avatar3']['tmp_name'], $path . \"\u002F\" . $user_img3);",{"prepared":13,"raw":13,"locations":88},[],{"escaped":90,"rawEcho":32,"locations":91},2,[92,95,97,99,101,103,105,107,109],{"file":46,"line":93,"context":94},93,"raw output",{"file":46,"line":96,"context":94},103,{"file":46,"line":98,"context":94},112,{"file":46,"line":100,"context":94},121,{"file":46,"line":102,"context":94},130,{"file":46,"line":104,"context":94},139,{"file":46,"line":106,"context":94},148,{"file":46,"line":108,"context":94},157,{"file":46,"line":110,"context":94},166,[],[113,132],{"entryPoint":114,"graph":115,"unsanitizedCount":130,"severity":131},"bc_get_avatar (display-user-avatar.php:22)",{"nodes":116,"edges":127},[117,122],{"id":118,"type":119,"label":120,"file":46,"line":121},"n0","source","$_REQUEST (x6)",33,{"id":123,"type":124,"label":125,"file":46,"line":96,"wp_function":126},"n1","sink","echo() [XSS]","echo",[128],{"from":118,"to":123,"sanitized":129},false,6,"medium",{"entryPoint":133,"graph":134,"unsanitizedCount":130,"severity":140},"\u003Cdisplay-user-avatar> (display-user-avatar.php:0)",{"nodes":135,"edges":138},[136,137],{"id":118,"type":119,"label":120,"file":46,"line":121},{"id":123,"type":124,"label":125,"file":46,"line":96,"wp_function":126},[139],{"from":118,"to":123,"sanitized":129},"low",{"summary":142,"deductions":143},"The 'random-avatars-of-user' v3.0.0 plugin exhibits a mixed security posture.  While it has a zero attack surface from readily identifiable entry points like AJAX handlers, REST API routes, shortcodes, and cron events, and all SQL queries are prepared, significant concerns arise from the code analysis.\n\nThe presence of 'move_uploaded_file' without any apparent authorization or nonce checks is a critical risk. This function, when used without proper validation, can lead to arbitrary file uploads, potentially allowing attackers to upload malicious scripts or overwrite existing files.  The taint analysis revealing flows with unsanitized paths further exacerbates this risk, suggesting that user-supplied input might be directly influencing file operations without sufficient sanitization or validation.\n\nThe plugin's vulnerability history is clean, with no recorded CVEs. This is a positive indicator, suggesting that the developers have either been diligent in avoiding common vulnerabilities or that the plugin's limited functionality hasn't attracted significant scrutiny. However, the lack of historical vulnerabilities does not negate the immediate risks identified in the static analysis.  The absence of capability checks and nonce checks on sensitive functions like file operations is a major oversight that needs immediate attention.",[144,147,149,152,154],{"reason":145,"points":146},"Dangerous function 'move_uploaded_file' found",15,{"reason":148,"points":11},"Flows with unsanitized paths found",{"reason":150,"points":151},"Missing capability checks",5,{"reason":153,"points":151},"Missing nonce checks",{"reason":155,"points":151},"Low output escaping percentage (18%)","2026-04-16T12:40:30.936Z",{"wat":158,"direct":165},{"assetPaths":159,"generatorPatterns":161,"scriptPaths":162,"versionParams":163},[160],"\u002Fwp-content\u002Fplugins\u002Frandom-avatars-of-user\u002Fcss\u002Fstyle.css",[],[],[164],"random-avatars-of-user\u002Fcss\u002Fstyle.css?ver=",{"cssClasses":166,"htmlComments":168,"htmlAttributes":169,"restEndpoints":179,"jsGlobals":180,"shortcodeOutput":181},[167],"dua-table",[],[170,171,172,173,174,175,176,177,178],"id=\"remove_1\"","id=\"avatar1\"","id=\"avatar_1_val\"","id=\"remove_2\"","id=\"avatar2\"","id=\"avatar_2_val\"","id=\"remove_3\"","id=\"avatar3\"","id=\"avatar_3_val\"",[],[],[],{"error":183,"url":184,"statusCode":185,"statusMessage":186,"message":186},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Frandom-avatars-of-user\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":90,"versions":188},[189,196],{"version":190,"download_url":191,"svn_tag_url":192,"released_at":26,"has_diff":129,"diff_files_changed":193,"diff_lines":26,"trac_diff_url":194,"vulnerabilities":195,"is_current":129},"2.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frandom-avatars-of-user.2.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Frandom-avatars-of-user\u002Ftags\u002F2.0.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Frandom-avatars-of-user%2Ftags%2F1.0.0&new_path=%2Frandom-avatars-of-user%2Ftags%2F2.0.0",[],{"version":197,"download_url":198,"svn_tag_url":199,"released_at":26,"has_diff":129,"diff_files_changed":200,"diff_lines":26,"trac_diff_url":26,"vulnerabilities":201,"is_current":129},"1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frandom-avatars-of-user.1.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Frandom-avatars-of-user\u002Ftags\u002F1.0.0\u002F",[],[]]