Vulnerabilities and security researches foravatar avatar

Apr 20, 2025

CVE, Research URL: CVE-2025-3520
Home page URL: Security reports for Avatar
Application: Avatar
Date: Apr 18, 2025
Research Description: The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions: max 0.1.4.
Status: vulnerable

CVE, Research URL: CVE-2025-39434
Home page URL: Security reports for Avatar
Application: Avatar
Date: Apr 17, 2025
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4.
Affected versions: max 0.1.4.
Status: vulnerable