PLUGIN SECURITY
Is Simple Local Avatars safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Simple Local Avatars WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
simple-local-avatars - Requires PHP: 7.4+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Simple Local Avatars [simple-local-avatars] < 2.7.4 [CVE-2022-25860, simple-git < 3.16.0 - Remote Code Execution]
- Simple Local Avatars [simple-local-avatars] < 2.7.4 [CVE-2022-25881, http-cache-semantics < 4.1.1 - Regular Expression Denial of Service (ReDoS)]
- Simple Local Avatars [simple-local-avatars] < 2.7.11 [CVE-2024-43116, WordPress Simple Local Avatars Plugin <= 2.7.10 is vulnerable to Cross Site Request Forgery (CSRF), Simple Local Avatars <= 2.7.10 - Cross-Site Request Forgery via save_default_avatar_file_id()]
- Simple Local Avatars [simple-local-avatars] < 2.8.0 [CVE-2024-10786, Simple Local Avatars <= 2.7.11 - Missing Authorization to Authenticated (Subscriber+) User Cache Clearing, WordPress Simple Local Avatars Plugin <= 2.7.11 is vulnerable to Broken Access Control]
- Simple Local Avatars [simple-local-avatars] < 2.8.5 [CVE-2025-8482, WordPress Simple Local Avatars Plugin <= 2.8.4 is vulnerable to Broken Access Control, Simple Local Avatars <= 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration, EUVD-2025-24225]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Gravatar Enhanced – Avatars, Profiles, and Privacy — 100000+ active installs — max PHP 8.4
- One User Avatar | User Profile Picture — 100000+ active installs — max PHP 8.4
- User Profile Picture — 40000+ active installs — max PHP 8.4
- Basic User Avatars — 20000+ active installs
- WP User Avatars — 20000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.