{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8482", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-01T17:50:18.360Z", "datePublished": "2025-08-12T06:42:41.969Z", "dateUpdated": "2026-04-08T16:58:44.811Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:44.811Z"}, "affected": [{"vendor": "10up", "product": "Simple Local Avatars", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users."}], "title": "Simple Local Avatars <= 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69d78334-2b38-43ee-acf6-c073d5826213?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-local-avatars/tags/2.8.4/includes/class-simple-local-avatars.php?marks=1663-1672#L1663"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-local-avatars/tags/2.8.4/includes/class-simple-local-avatars.php#L123"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340223%40simple-local-avatars&new=3340223%40simple-local-avatars&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "H\u00e5kon Harnes"}], "timeline": [{"time": "2025-08-04T13:48:40.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-11T18:20:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T16:04:14.585423Z", "id": "CVE-2025-8482", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T16:04:34.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8482", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T16:04:14.585423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T16:04:28.250Z"}}], "cna": {"title": "Simple Local Avatars <= 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration", "credits": [{"lang": "en", "type": "finder", "value": "H\u00e5kon Harnes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "10up", "product": "Simple Local Avatars", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-04T13:48:40.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-11T18:20:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69d78334-2b38-43ee-acf6-c073d5826213?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-local-avatars/tags/2.8.4/includes/class-simple-local-avatars.php?marks=1663-1672#L1663"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-local-avatars/tags/2.8.4/includes/class-simple-local-avatars.php#L123"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340223%40simple-local-avatars&new=3340223%40simple-local-avatars&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:44.811Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8482", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:44.811Z", "dateReserved": "2025-08-01T17:50:18.360Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-12T06:42:41.969Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users."}, {"lang": "es", "value": "El complemento Simple Local Avatars para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos en la versi\u00f3n 2.8.4. Esto se debe a una comprobaci\u00f3n de capacidad incompleta en la funci\u00f3n migration_from_wp_user_avatar(). Esto permite que atacantes autenticados, con acceso de suscriptor o superior, migren los metadatos de los avatares de todos los usuarios."}], "id": "CVE-2025-8482", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-12T07:15:30.543", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-local-avatars/tags/2.8.4/includes/class-simple-local-avatars.php#L123"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-local-avatars/tags/2.8.4/includes/class-simple-local-avatars.php?marks=1663-1672#L1663"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340223%40simple-local-avatars&new=3340223%40simple-local-avatars&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69d78334-2b38-43ee-acf6-c073d5826213?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:35:17.564788+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple Local Avatars plugin to a version that implements the missing capability check", "Configure role capabilities so that only administrators can perform avatar migrations", "Audit existing avatar metadata for anomalies and restore from backups if discrepancies are found"], "summary": {"action": "Update plugin", "impact": "Unauthorized avatar metadata modification"}, "threat_synthesis": {"affected_systems": "The vulnerability is limited to the 10up Simple Local Avatars plugin version 2.8.4 for WordPress. No other versions or plugins are affected.", "description_and_impact": "The Simple Local Avatars plugin suffers from a missing capability check on the migrate_from_wp_user_avatar function, allowing any authenticated user with at least subscriber-level access to trigger a migration that rewrites avatar metadata for every user on the site. Because this alteration changes data that is typically protected, the impact is primarily the integrity of user avatar information, potentially enabling impersonation or denial of service if avatars are corrupted.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact, while the EPSS of less than 1% reflects a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no evidence of widespread, targeted use. The attack vector requires an authenticated account, so the risk is principally to sites that grant subscriber-level access and might be exploited by malicious or compromised users with such roles. Because the flaw is a straightforward missing authorization check, an attacker who has logged in can easily invoke the function without additional escalation."}}}}, "created": "2025-08-12T19:53:23.008012+00:00", "updated": "2026-04-21T03:45:27.373796+00:00", "vendors": ["10up", "10up$PRODUCT$simple_local_avatars", "wordpress", "wordpress$PRODUCT$wordpress"]}