Does User Avatar – Reloaded have any unpatched vulnerabilities?

Yes — User Avatar – Reloaded currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is User Avatar – Reloaded compatible with WordPress 6.3.8?

According to WordPress.org data, User Avatar – Reloaded 1.2.2 has been tested up to WordPress 6.3.8. Check the plugin's changelog for the latest compatibility information.

Is User Avatar – Reloaded compatible with PHP 5.6+?

User Avatar – Reloaded requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is User Avatar – Reloaded updated?

User Avatar – Reloaded was last updated on Sep 14, 2023. Frequent updates are generally a positive security signal.

What is User Avatar – Reloaded's security score?

User Avatar – Reloaded has a WP-Safety security score of 62/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User Avatar – Reloaded Security & Risk Analysis

wordpress.org/plugins/user-avatar-reloaded

Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.

900 active installs v1.2.2 PHP 5.6+ WP 4.0+ Updated Sep 14, 2023

author-imageauthor-photoavatargravataruser-profile

C · Use Caution

CVEs total2

Unpatched1

Last CVESep 28, 2025

Plugin page Download

Safety Verdict

Is User Avatar – Reloaded Safe to Use in 2026?

Use With Caution

Score 62/100

User Avatar – Reloaded has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Sep 28, 2025Updated 2yr ago

Risk Assessment

The User Avatar Reloaded plugin v1.2.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and performing capability checks on many actions. The absence of dangerous functions and file operations is also encouraging. However, significant concerns arise from the static analysis, particularly the presence of an AJAX handler without authentication. This creates an unprotected entry point that attackers could potentially exploit.

The taint analysis indicates one flow with unsanitized paths, though it is not classified as critical or high severity. This warrants further investigation to ensure no privilege escalation or sensitive data exposure is possible through this flow. The vulnerability history is a significant red flag, with two known CVEs, one of which remains unpatched. The recurring Cross-Site Scripting (XSS) vulnerability type suggests a pattern of improper input sanitization or output escaping that needs consistent attention.

In conclusion, while the plugin has some sound security foundations, the unpatched CVE, the unprotected AJAX handler, and the historical trend of XSS vulnerabilities introduce considerable risks. The small percentage of properly escaped outputs further exacerbates the XSS risk. Addressing the unpatched vulnerability and securing the AJAX endpoint should be immediate priorities.

Key Concerns

Unpatched CVE
Unprotected AJAX handler
Flow with unsanitized paths
Low output escaping percentage
Medium severity CVE history (2)

Vulnerabilities

User Avatar – Reloaded Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-68080medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Avatar - Reloaded <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 28, 2025Unpatched

CVE-2023-4798medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Avatar – Reloaded <= 1.2.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 25, 2023 Patched in 1.2.2 (120d)

Code Analysis

Analyzed Mar 16, 2026

User Avatar – Reloaded Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

37 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared6 total queries

Output Escaping

37% escaped100 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

search_box (includes\class-wp-user-avatar-list-table.php:72)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

User Avatar – Reloaded Attack Surface

Entry Points3

Unprotected1

AJAX Handlers 1

authwp_ajax_wp_user_avatar_tinymceincludes\wpua-tinymce.php:54

Shortcodes 2

[avatar] includes\class-wp-user-avatar-shortcode.php:19

[avatar_upload] includes\class-wp-user-avatar-shortcode.php:20

WordPress Hooks 64

actionadmin_initincludes\class-wp-user-avatar-admin.php:25

actionadmin_menuincludes\class-wp-user-avatar-admin.php:30

actionadmin_initincludes\class-wp-user-avatar-admin.php:31

filterdefault_avatar_selectincludes\class-wp-user-avatar-admin.php:33

filterallowed_optionsincludes\class-wp-user-avatar-admin.php:35

filterwhitelist_optionsincludes\class-wp-user-avatar-admin.php:37

filterplugin_action_linksincludes\class-wp-user-avatar-admin.php:40

filterplugin_row_metaincludes\class-wp-user-avatar-admin.php:41

filtermanage_users_columnsincludes\class-wp-user-avatar-admin.php:44

filtermanage_users_custom_columnincludes\class-wp-user-avatar-admin.php:45

filterdisplay_media_statesincludes\class-wp-user-avatar-admin.php:48

filterset-screen-optionincludes\class-wp-user-avatar-admin.php:121

actioninitincludes\class-wp-user-avatar-admin.php:412

filterget_avatarincludes\class-wp-user-avatar-functions.php:18

filterget_avatar_urlincludes\class-wp-user-avatar-functions.php:20

filterbp_core_fetch_avatarincludes\class-wp-user-avatar-functions.php:23

filterbp_core_fetch_avatar_urlincludes\class-wp-user-avatar-functions.php:25

filterget_avatarincludes\class-wp-user-avatar-functions.php:561

actionplugins_loadedincludes\class-wp-user-avatar-functions.php:733

filterthe_titleincludes\class-wp-user-avatar-list-table.php:227

actioninitincludes\class-wp-user-avatar-resource-manager.php:31

actionwp_footerincludes\class-wp-user-avatar-resource-manager.php:32

actionwp_print_footer_scriptsincludes\class-wp-user-avatar-resource-manager.php:83

actionadmin_print_footer_scriptsincludes\class-wp-user-avatar-resource-manager.php:84

actionshutdownincludes\class-wp-user-avatar-resource-manager.php:85

actionwpua_show_profileincludes\class-wp-user-avatar-shortcode.php:22

actionwpua_show_profileincludes\class-wp-user-avatar-shortcode.php:23

actionwpua_updateincludes\class-wp-user-avatar-shortcode.php:24

actionwpua_update_errorsincludes\class-wp-user-avatar-shortcode.php:26

actioninitincludes\class-wp-user-avatar-shortcode.php:264

actionuser_edit_form_tagincludes\class-wp-user-avatar-subscriber.php:22

actionadmin_initincludes\class-wp-user-avatar-subscriber.php:24

actioninitincludes\class-wp-user-avatar-subscriber.php:65

actionadmin_initincludes\class-wp-user-avatar-update.php:21

actionadmin_initincludes\class-wp-user-avatar-update.php:24

actionadmin_initincludes\class-wp-user-avatar-update.php:27

actioninitincludes\class-wp-user-avatar-update.php:116

filterwpua_profile_titleincludes\class-wp-user-avatar-widget.php:52

actionshow_user_profileincludes\class-wp-user-avatar.php:29

actionedit_user_profileincludes\class-wp-user-avatar.php:34

actionpersonal_options_updateincludes\class-wp-user-avatar.php:39

actionedit_user_profile_updateincludes\class-wp-user-avatar.php:40

actionuser_new_formincludes\class-wp-user-avatar.php:41

actionuser_registerincludes\class-wp-user-avatar.php:42

filteruser_profile_picture_descriptionincludes\class-wp-user-avatar.php:46

actionadmin_enqueue_scriptsincludes\class-wp-user-avatar.php:58

actionshow_user_profileincludes\class-wp-user-avatar.php:62

actionedit_user_profileincludes\class-wp-user-avatar.php:63

actionuser_profile_update_errorsincludes\class-wp-user-avatar.php:67

filterwp_handle_upload_prefilterincludes\class-wp-user-avatar.php:69

filtermedia_view_settingsincludes\class-wp-user-avatar.php:72

actionuser_profile_update_errorsincludes\class-wp-user-avatar.php:295

actioninitincludes\class-wp-user-avatar.php:494

actionadmin_noticesincludes\mo-notice.php:7

actionnetwork_admin_noticesincludes\mo-notice.php:8

actionadmin_initincludes\mo-notice.php:10

actionwpua_before_avatarincludes\wpua-functions.php:107

actionwpua_after_avatarincludes\wpua-functions.php:129

actionwpua_before_avatar_adminincludes\wpua-functions.php:161

actionwpua_after_avatar_adminincludes\wpua-functions.php:174

actionwidgets_initincludes\wpua-functions.php:184

filtermce_external_pluginsincludes\wpua-tinymce.php:18

filtermce_buttonsincludes\wpua-tinymce.php:19

actioninitincludes\wpua-tinymce.php:22

Maintenance & Trust

User Avatar – Reloaded Maintenance & Trust

Maintenance Signals

WordPress version tested6.3.8

Last updatedSep 14, 2023

PHP min version5.6

Downloads10K

Community Trust

Rating100/100

Number of ratings2

Active installs900

Alternatives

User Avatar – Reloaded Alternatives

WP Custom Author Image

author-image

Lets you easily add WP Custom Author Images on your site.

100 No CVEs

User Profile Picture

metronet-profile-picture

Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.

40K 1 CVE

Basic User Avatars

basic-user-avatars

Add an avatar upload field on frontend pages and Edit Profile screen so users can add a custom profile picture.

20K No CVEs

Easy Author Avatar Image

easy-author-avatar-image

100

Upload an author image right from your profile page with the click of a button.

1K No CVEs

Custom Profile Picture – Replace Gravatar with Your Own Images

custom-profile-picture

100

Replace default Gravatars with custom profile pictures! Upload from media library or device. Bulk manage all users from one beautiful admin page.

70 No CVEs

Developer Profile

User Avatar – Reloaded Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

trust score

Avg Security Score

96/100

Avg Patch Time

287 days

View full developer profile

Detection Fingerprints

How We Detect User Avatar – Reloaded

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-avatar-reloaded/css/wp-user-avatar.css/wp-content/plugins/user-avatar-reloaded/js/wp-user-avatar.js/wp-content/plugins/user-avatar-reloaded/js/wp-user-avatar-user.js

Script Paths

/wp-content/plugins/user-avatar-reloaded/js/wp-user-avatar.js/wp-content/plugins/user-avatar-reloaded/js/wp-user-avatar-user.js

Version Parameters

user-avatar-reloaded/css/wp-user-avatar.css?ver=user-avatar-reloaded/js/wp-user-avatar.js?ver=user-avatar-reloaded/js/wp-user-avatar-user.js?ver=

HTML / DOM Fingerprints

CSS Classes

user-profile-picturewpua-avatar

Data Attributes

data-wpua_actiondata-wpua_upload_size_limitdata-wpua_upload_url

JS Globals

wpua_is_profilewpua_upload_size_limit

FAQ