10up Simple Local Avatars
Moderate fix1 remedy
cpe:2.3:a:10up:simple_local_avatars:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.8.4
Simple Local Avatars Missing Authorization Vulnerability in WordPress
Vulnerability
Patched
A vulnerability exists in the Simple Local Avatars plugin for WordPress, specifically in version 2.8.4, allowing unauthorized data modification. The issue arises from a lack of capability checks in the 'migrate_from_wp_user_avatar()' function. This flaw enables authenticated attackers with subscriber-level access or higher to migrate avatar metadata for all users.
Impact
Exploitation of this vulnerability allows for unauthorized migration of avatar metadata, potentially leading to incorrect or malicious avatar representations for users.
Reproduction
To reproduce this vulnerability, an authenticated user with subscriber-level access can initiate the migration of WP User Avatar data to Simple Local Avatars. This can be done through the WordPress admin interface or via a WP-CLI command, without the necessary permissions to perform such an action.
Remediation
Users are advised to update the Simple Local Avatars plugin to version 2.8.5 or later, where this vulnerability has been patched.
Added: Aug 12, 2025, 7:21 AM
Updated: Aug 12, 2025, 7:21 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
2.5exploitability
6.4remediation
7.7relevance
0.3threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.