Vulnerabilities and security researches forsimple-local-avatars simple-local-avatars

Jun 07, 2024

CVE, Research URL: CVE-2022-25881
Home page URL: Security reports for Simple Local Avatars
Application: Simple Local Avatars
Date: Jan 31, 2023
Research Description: This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-25860
Home page URL: Security reports for Simple Local Avatars
Application: Simple Local Avatars
Date: Jan 27, 2023
Research Description: Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
Affected versions: Min -, max -.
Status: vulnerable

Jul 24, 2024

PSC, Research URL: PSC-2024-26389
Home page URL: Security reports for Simple Local Avatars
Application: Simple Local Avatars
Date: Aug 05, 2025
Research Description: Simple Local Avatars is a user-friendly plugin designed to streamline avatar management on WordPress websites. By seamlessly integrating an avatar upload field into user profiles, this lightweight plugin empowers users with media permissions to personalize their online presence effortlessly. In this article, we explore the features of Simple Local Avatars, emphasizing its commitment to security and recognition through the esteemed "Plugin Security Certification" (PSC) from CleanTalk.
Affected versions: Min -, max -.
Status: SAFE & CERTIFIED

Aug 11, 2024

CVE, Research URL: CVE-2024-43116
Home page URL: Security reports for Simple Local Avatars
Application: Simple Local Avatars
Date: Aug 27, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in 10up Simple Local Avatars.This issue affects Simple Local Avatars: from n/a through 2.7.10.
Affected versions: Min -, max -.
Status: vulnerable

Nov 16, 2024

CVE, Research URL: CVE-2024-10786
Home page URL: Security reports for Simple Local Avatars
Application: Simple Local Avatars
Date: Nov 16, 2024
Research Description: The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches.
Affected versions: Min -, max -.
Status: vulnerable

Aug 14, 2025

CVE, Research URL: CVE-2025-8482
Home page URL: Security reports for Simple Local Avatars
Application: Simple Local Avatars
Date: Aug 12, 2025
Research Description: The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.
Affected versions: Min -, max -.
Status: vulnerable