Instead of a simple, single-purpose custom avatar solution, it is a full-fledged user registration, profile, login, and membership management plugin.
That happened with a plugin that has 400,000+ active installations.
Not surprisingly, many people were not happy about that:
In the past 48 hours, the plugin has received a staggering 60+ one-star reviews — and counting. The WordPress.org support team has already had to close two forum topics. A review titled “Unexpected changes, expected reactions” sums up the situation.
There are more complaints in the comments on WordPress Tavern’s post, including complaints about the problematic moderators of WordPress’ support forum (it’s telling that the person defending the moderators there is a moderator and didn’t clearly disclose it).
Another problem with this type of repurposing is that it can significantly change the security risk of the plugin. That is the case with this plugin, as can be seen with the very different results of running the last version of WP User Avatar and latest version of ProfilePress through our Plugin Security Checker.
WP User Avatar results:
Something being flagged by that tool doesn’t mean that there is a security issue, much less a vulnerability, but we have already confirmed a couple of vulnerabilities in the plugin based on proactive monitoring of changes made to WordPress plugins we do. Another piece of code flagged by the Plugin Security Checker is insecure in a strange way, as the developer fails to escape user input in the code even though in the same line they escape a variable:
In interview The WP Minute did with the developer, they described themself this way:
I run a small WordPress development studio called Proper Fraction where we basically make WordPress plugins. I started out teaching WordPress programming and development on sites such as SitePoint, Tuts+, Designmodo, Smashing Magazine.
So you have someone that seems to be unable to handle basic security that is not only running a company that makes WordPress plugins, but they are teaching others how to program. Is it any wonder that WordPress plugins are so insecure?