CVE-2025-8482 MEDIUM

CVE-2025-8482: Simple Local Avatars <= 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration

Vendor 10Up
Product Simple Local Avatars
Weakness CWE-862 · Missing authorization
Published August 12, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.

Explanation of Vulnerability in Simple Terms

02Summary

Simple Local Avatars through version 2.8.4 does not properly check permissions before allowing users to modify avatar data. A logged-in user with low privileges can change avatars for other users or accounts they should not have access to. The vulnerability requires an active WordPress user account but no special role or capability.

What an attacker can do

03Attacker Capabilities

Modify avatar images for other user accounts without authorization.

Potential impact on your site

04Site Impact

Users' profile avatars can be changed by unauthorized accounts, potentially causing impersonation or defacement.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low privileges (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

August 12, 2025 CVE published
April 8, 2026 Record updated