Cross-Site Scripting Vulnerability in User Avatar - Reloaded by Saad Iqbal
CVE-2025-68080

Currently unrated

Key Information:

Vendor

WordPress
Status
User Avatar - Reloaded
Vendor
CVE Published:
16 December 2025

What is CVE-2025-68080?

The User Avatar - Reloaded plugin by Saad Iqbal contains a vulnerability that allows for stored cross-site scripting (XSS) attacks. This issue arises from improper handling of input during web page generation, which can lead to malicious scripts being executed in the context of a user's browser. Attackers may exploit this vulnerability to inject harmful scripts, potentially compromising user data and site integrity. Affected versions include any release prior to and including version 1.2.2.

Affected Version(s)

User Avatar - Reloaded <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/user...
vdb-entry

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ | Patchstack Bug Bounty Program
JSON
.
CVE-2025-68080 : Cross-Site Scripting Vulnerability in User Avatar - Reloaded by Saad Iqbal