Does WP User Avatars have any unpatched vulnerabilities?

No. All known vulnerabilities in WP User Avatars have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP User Avatars compatible with WordPress 5.8.13?

According to WordPress.org data, WP User Avatars 1.4.1 has been tested up to WordPress 5.8.13. Check the plugin's changelog for the latest compatibility information.

Is WP User Avatars compatible with PHP 7.0+?

WP User Avatars requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP User Avatars updated?

WP User Avatars was last updated on Jun 1, 2021. Frequent updates are generally a positive security signal.

What is WP User Avatars's security score?

WP User Avatars has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP User Avatars Security & Risk Analysis

wordpress.org/plugins/wp-user-avatars

Allow registered users to upload & select their own avatars.

20K active installs v1.4.1 PHP 7.0+ WP 5.2+ Updated Jun 1, 2021

avatarlocalmediaprofileuser

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WP User Avatars Safe to Use in 2026?

Generally Safe

Score 85/100

WP User Avatars has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago

Risk Assessment

The wp-user-avatars plugin v1.4.1 demonstrates a generally positive security posture, with no recorded critical or high-severity vulnerabilities in its history. The code analysis shows strong practices like the complete absence of raw SQL queries and a high percentage of properly escaped output. Furthermore, there are no critical or high-severity taint flows identified, suggesting a good effort in handling user-provided data. The plugin also incorporates nonce and capability checks, which are fundamental security measures.

However, significant concerns arise from the identified attack surface. The presence of two AJAX handlers, both lacking authentication checks, presents a clear risk. This means that any unauthenticated user could potentially interact with these handlers, leading to unintended actions or information disclosure if not properly secured within the handler logic itself. While no specific vulnerabilities are currently known or have been historically recorded, this lack of protection on entry points is a weakness that could be exploited by attackers.

In conclusion, while the plugin benefits from good coding practices regarding data handling and has a clean vulnerability history, the unprotected AJAX endpoints are a notable security weakness. Addressing these unprotected entry points should be a priority to further strengthen the plugin's overall security.

Key Concerns

Unprotected AJAX handlers
Low percentage of properly escaped output

Vulnerabilities

None known

WP User Avatars Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WP User Avatars Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

15 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

75% escaped20 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

wp_user_avatars_action_remove_avatars (wp-user-avatars\includes\ajax.php:19)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

WP User Avatars Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_assign_wp_user_avatars_mediawp-user-avatars\includes\hooks.php:42

authwp_ajax_remove_wp_user_avatarswp-user-avatars\includes\hooks.php:43

WordPress Hooks 23

actionuser_profile_update_errorswp-user-avatars\includes\common.php:40

filterupload_size_limitwp-user-avatars\includes\common.php:50

actionuser_profile_update_errorswp-user-avatars\includes\common.php:77

actionuser_profile_update_errorswp-user-avatars\includes\common.php:80

actionadmin_initwp-user-avatars\includes\hooks.php:15

filtermap_meta_capwp-user-avatars\includes\hooks.php:18

actionadmin_enqueue_scriptswp-user-avatars\includes\hooks.php:21

actionshow_user_profilewp-user-avatars\includes\hooks.php:24

actionedit_user_profilewp-user-avatars\includes\hooks.php:25

actionuser_edit_form_tagwp-user-avatars\includes\hooks.php:26

actionpersonal_options_updatewp-user-avatars\includes\hooks.php:27

actionedit_user_profile_updatewp-user-avatars\includes\hooks.php:28

filteravatar_defaultswp-user-avatars\includes\hooks.php:31

filteroption_avatar_defaultwp-user-avatars\includes\hooks.php:34

filterpre_update_option_avatar_defaultwp-user-avatars\includes\hooks.php:35

filterget_avatar_urlwp-user-avatars\includes\hooks.php:38

filterget_avatar_urlwp-user-avatars\includes\hooks.php:39

actionadmin_action_remove-wp-user-avatarswp-user-avatars\includes\hooks.php:44

actionwp_user_profiles_add_meta_boxeswp-user-avatars\includes\hooks.php:47

actionwp_user_profiles_do_admin_headwp-user-avatars\includes\hooks.php:48

actioninitwp-user-avatars\includes\hooks.php:49

actionadmin_initwp-user-avatars\includes\sponsor.php:17

actionplugins_loadedwp-user-avatars.php:46

Maintenance & Trust

WP User Avatars Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13

Last updatedJun 1, 2021

PHP min version7.0

Downloads313K

Community Trust

Rating90/100

Number of ratings29

Active installs20K

Alternatives

WP User Avatars Alternatives

One User Avatar | User Profile Picture

one-user-avatar

Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.

100K 2 CVEs

Simple Local Avatars

simple-local-avatars

Adds an avatar upload field to user profiles. Generates requested sizes on demand just like Gravatar!

100K 6 CVEs

User Profile Picture

metronet-profile-picture

Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.

40K 1 CVE

Basic User Avatars

basic-user-avatars

Add an avatar upload field on frontend pages and Edit Profile screen so users can add a custom profile picture.

20K No CVEs

Simple User Avatar

simple-user-avatar

100

Simple User Avatar helps users to add or remove their avatar using images from his Media Library.

20K No CVEs

Developer Profile

WP User Avatars Developer Profile

John James Jacoby

28 plugins · 332K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

1401 days

View full developer profile

Detection Fingerprints

How We Detect WP User Avatars

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-user-avatars/assets/css/user-avatars-rtl.css/wp-content/plugins/wp-user-avatars/assets/css/user-avatars.css/wp-content/plugins/wp-user-avatars/assets/js/user-avatars.js

Version Parameters

wp-user-avatars/assets/css/user-avatars.css?ver=wp-user-avatars/assets/js/user-avatars.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-user-avatars-photowp-user-avatars-actionswp-user-avatars-media

Data Attributes

id="wp-user-avatars-user-settings"id="wp-user-avatars-photo"id="wp-user-avatars-actions"id="wp-user-avatars"id="wp-user-avatars-media"

JS Globals

i10n_WPUserAvatars

FAQ