Threat Entry Updated 2025-05-26

CVE-2024-13611 - Bp Better Messages Plugin

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.

PLUGIN Bp Better Messages

CVE-2024-13611

HIGH CVSS 7.5 2025-03-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-20

CVE-2024-13612 - Bp Better Messages Plugin

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bp Better Messages

CVE-2024-13612

MEDIUM CVSS 6.4 2025-02-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-36389 - Bp Better Messages Plugin

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin

PLUGIN Bp Better Messages

CVE-2022-36389

MEDIUM CVSS 4.3 2022-08-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-20

CVE-2022-33142 - Bp Better Messages Plugin

Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin

PLUGIN Bp Better Messages

CVE-2022-33142

HIGH CVSS 7.7 2022-08-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-29454 - Bp Better Messages Plugin

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin

PLUGIN Bp Better Messages

CVE-2022-29454

LOW CVSS 3.1 2022-07-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24809 - Bp Better Messages Plugin

The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions

PLUGIN Bp Better Messages

CVE-2021-24809

HIGH CVSS 8.8 2021-11-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24808 - Bp Better Messages Plugin

The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

PLUGIN Bp Better Messages

CVE-2021-24808

MEDIUM CVSS 6.1 2021-11-01

Risk Score

Open Full Technical Breakdown