WordPress Plugin Vulnerabilities

Simple Local Avatars < 2.8.5 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration

Description

The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.

Affects Plugins

Plugin icon
simple-local-avatars
Fixed in 2.8.5

References

CVE
CVE-2025-8482
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/69d78334-2b38-43ee-acf6-c073d5826213

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Håkon Harnes
Verified
No
WPVDB ID
8ed579ed-29b6-4d86-9e0a-5c59cf79ad29

Timeline

Publicly Published
2025-08-11 (about 9 months ago)
Added
2025-08-11 (about 9 months ago)
Last Updated
2025-08-12 (about 9 months ago)

Other

Published
Title
Published
2026-03-11
Title
InstaWP Connect < 0.1.2.7 - Missing Authorization
Published
2024-05-17
Title
Fastly < 1.2.26 - Missing Authorization via AJAX actions
Published
2024-07-19
Title
Security Optimizer – The All-In-One Protection Plugin < 1.5.1 - Missing Authorization via hide_notice()
Published
2025-07-19
Title
Breeze Checkout <= 1.4.0 - Missing Authorization
Published
2024-06-28
Title
Zita Elementor Site Library < 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload