CVE-2025-3520: 
WordPress vulnerability analysis and mitigation

The Avatar plugin for WordPress contains a critical vulnerability (CVE-2025-3520) that affects all versions up to and including 0.1.4. The vulnerability was discovered and disclosed on April 17, 2025, affecting the WordPress Avatar plugin's file handling functionality. The plugin has been temporarily closed and is not available for download pending a full security review (WordPress Plugin).

The vulnerability is classified as an arbitrary file deletion vulnerability due to insufficient file path validation in a function. The issue has received a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) (NVD Database).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This capability is particularly dangerous as it can lead to remote code execution when critical files, such as wp-config.php, are deleted (NVD Database).

As of April 16, 2025, the plugin has been closed and is not available for download pending a full security review. Users are advised to disable and remove the plugin from their WordPress installations until a patched version is released (WordPress Plugin).