Does WPAvatar have any unpatched vulnerabilities?

Yes — WPAvatar currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WPAvatar compatible with WordPress 6.8.5?

According to WordPress.org data, WPAvatar 1.9.4 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is WPAvatar compatible with PHP 5.6+?

WPAvatar requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPAvatar updated?

WPAvatar was last updated on Sep 13, 2025. Frequent updates are generally a positive security signal.

What is WPAvatar's security score?

WPAvatar has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPAvatar Security & Risk Analysis

wordpress.org/plugins/wpavatar

Use WPAvatar to speed up your website, switch gravatar to Chinese source, and support automatic acquisition and display of QQ Mail avatar.

700 active installs v1.9.4 PHP 5.6+ WP 5.4+ Updated Sep 13, 2025

avatargravatarwp-avatarwpavatar%e5%a4%b4%e5%83%8f

B · Generally Safe

CVEs total1

Unpatched1

Last CVEAug 25, 2025

Plugin page Download

Safety Verdict

Is WPAvatar Safe to Use in 2026?

Mostly Safe

Score 78/100

WPAvatar is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Aug 25, 2025Updated 8mo ago

Risk Assessment

The wpavatar plugin v1.9.4 exhibits a mixed security posture. On the positive side, the static analysis reveals good practices such as 100% use of prepared statements for SQL queries, a robust number of nonce and capability checks (7 and 8 respectively), and no identified critical or high severity taint flows. The absence of dangerous functions and bundled libraries is also encouraging.

However, there are notable concerns. The output escaping is not perfectly implemented, with 22% of outputs not being properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities, especially given that the plugin has a history of XSS-related CVEs. The presence of a medium severity, unpatched CVE from August 2025 is a significant risk, indicating a potential vulnerability that has not yet been addressed by the developer. This historical pattern of XSS vulnerabilities, coupled with imperfect output escaping, warrants careful attention.

In conclusion, while the plugin demonstrates strengths in areas like SQL handling and input validation (as indicated by taint analysis), the unpatched CVE and the percentage of unescaped output represent clear security weaknesses. Users should be aware of the historical vulnerability types and the potential for XSS, and ideally, the plugin developer should address the outstanding CVE.

Key Concerns

Unpatched CVE (Medium Severity)
Unescaped output percentage (22%)

Vulnerabilities

1 published

WPAvatar Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-48312medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPAvatar <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 25, 2025Unpatched

Version History

WPAvatar Release Timeline

v1.9.4Current1 CVE

CVE-2025-48312

v1.9.31 CVE

CVE-2025-48312

v1.01 CVE

CVE-2025-48312

Code Analysis

Analyzed Mar 16, 2026

WPAvatar Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

122 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

78% escaped157 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

2 flows

save_network_settings (includes\multisite.php:1036)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WPAvatar Attack Surface

Entry Points12

Unprotected0

AJAX Handlers 4

authwp_ajax_wpavatar_purge_cachewpavatar.php:75

authwp_ajax_wpavatar_purge_all_cachewpavatar.php:117

authwp_ajax_wpavatar_check_cachewpavatar.php:171

authwp_ajax_wpavatar_check_all_cachewpavatar.php:184

Shortcodes 8

[wpavatar] includes\core.php:892

[wpavatar_username] includes\core.php:893

[wpavatar_latest_commenters] includes\marketing.php:15

[wpavatar_latest_users] includes\marketing.php:16

[wpavatar_random_users] includes\marketing.php:17

[wpavatar_author] includes\marketing.php:18

[wpavatar] includes\wpcy-compatibility.php:58

[wpavatar_username] includes\wpcy-compatibility.php:59

WordPress Hooks 40

actionadmin_menuincludes\admin.php:6

actionadmin_initincludes\admin.php:7

actionadmin_enqueue_scriptsincludes\admin.php:8

actionadmin_noticesincludes\admin.php:9

filterpre_get_avatar_dataincludes\core.php:24

filterget_avatar_urlincludes\core.php:27

filterum_user_avatar_url_filterincludes\core.php:30

filterbp_gravatar_urlincludes\core.php:31

filteruser_profile_picture_descriptionincludes\core.php:32

filterget_avatarincludes\core.php:33

actioninitincludes\core.php:339

actioninitincludes\core.php:340

filterget_avatar_urlincludes\core.php:343

filterget_avatarincludes\core.php:344

actionwpavatar_purge_cacheincludes\core.php:347

actioncomment_postincludes\core.php:349

actionprofile_updateincludes\core.php:350

filterwalker_nav_menu_start_elincludes\core.php:894

actionwp_headincludes\marketing.php:21

actionadmin_initincludes\marketing.php:25

actionnetwork_admin_menuincludes\multisite.php:32

actionnetwork_admin_edit_wpavatar_network_settingsincludes\multisite.php:33

actionadmin_enqueue_scriptsincludes\multisite.php:34

filternetwork_admin_plugin_action_links_wpavatar/wpavatar.phpincludes\multisite.php:38

actionadmin_noticesincludes\multisite.php:42

actionadmin_menuincludes\multisite.php:43

actionwpmu_new_blogincludes\multisite.php:47

actionnetwork_admin_edit_wpavatar_import_site_settingsincludes\multisite.php:1298

actionnetwork_admin_edit_wpavatar_apply_to_all_sitesincludes\multisite.php:1299

actionafter_setup_themeincludes\wpcy-compatibility.php:16

actioninitincludes\wpcy-compatibility.php:19

actionadmin_noticesincludes\wpcy-compatibility.php:36

filterwalker_nav_menu_start_elincludes\wpcy-compatibility.php:60

filterum_user_avatar_url_filterincludes\wpcy-compatibility.php:110

filterbp_gravatar_urlincludes\wpcy-compatibility.php:111

filteruser_profile_picture_descriptionincludes\wpcy-compatibility.php:112

filterget_avatar_urlincludes\wpcy-compatibility.php:116

actionplugins_loadedwpavatar.php:197

filtergettextwpavatar.php:265

filterngettextwpavatar.php:266

Scheduled Events 2

wpavatar_purge_cache

Maintenance & Trust

WPAvatar Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 13, 2025

PHP min version5.6

Downloads8K

Community Trust

Rating100/100

Number of ratings1

Active installs700

Alternatives

WPAvatar Alternatives

Custom Profile Avatar

custom-profile-avatar

100

Easily upload and use custom profile avatars in WordPress. Disable Gravatar and keep everything local.

0 No CVEs

One User Avatar | User Profile Picture

one-user-avatar

Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.

100K 2 CVEs

Simple Local Avatars

simple-local-avatars

Adds an avatar upload field to user profiles. Generates requested sizes on demand just like Gravatar!

100K 6 CVEs

User Profile Picture

metronet-profile-picture

Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.

40K 1 CVE

Basic User Avatars

basic-user-avatars

Add an avatar upload field on frontend pages and Edit Profile screen so users can add a custom profile picture.

20K No CVEs

Developer Profile

WPAvatar Developer Profile

文派翻译（WP Chinese Translation）

3 plugins · 1K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WPAvatar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpavatar/admin.css/wp-content/plugins/wpavatar/admin.js

HTML / DOM Fingerprints

CSS Classes

wpavatar-settings-wrap

HTML Comments

JS Globals

wpavatar_ajax_object

FAQ

WPAvatar Security & Risk Analysis

Is WPAvatar Safe to Use in 2026?

Mostly Safe

Key Concerns

WPAvatar Security Vulnerabilities

CVEs by Year

Severity Breakdown

WPAvatar Release Timeline

WPAvatar Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

WPAvatar Attack Surface

AJAX Handlers 4

Shortcodes 8

Scheduled Events 2

WPAvatar Maintenance & Trust

Maintenance Signals

Community Trust

WPAvatar Alternatives

Custom Profile Avatar

One User Avatar | User Profile Picture

Simple Local Avatars

User Profile Picture

Basic User Avatars

WPAvatar Developer Profile

How We Detect WPAvatar

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WPAvatar