WordPress · Simple Local Avatars · CVE-2025-8482
Name of the Vulnerable Software and Affected Versions:
Simple Local Avatars plugin for WordPress version 2.8.4
Description:
The Simple Local Avatars plugin for WordPress is susceptible to unauthorized data modification due to an incomplete capability check within the `migrate from wp user avatar()` function. Authenticated attackers with subscriber-level access or higher can exploit this to migrate avatar metadata for all users.
Recommendations:
Update to a newer version of the Simple Local Avatars plugin that addresses this issue.