Search

Find a vulnerability

Search criteria

    22 vulnerabilities found for better_messages by wordplus

    CVE-2024-13697 (GCVE-0-2024-13697)

    Vulnerability from nvd – Published: 2025-03-01 08:23 – Updated: 2026-04-08 17:17
    VLAI
    Title
    Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links
    Summary
    The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the 'nice_links'. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the "Enable link previews" to be enabled (default).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T20:53:23.554012Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T20:56:21.813Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Better Messages \u2013 Live Chat, Chat Rooms, Real-Time Messaging \u0026 Private Messages",
              "vendor": "wordplus",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the \u0027nice_links\u0027. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the \"Enable link previews\" to be enabled (default)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:25.770Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b67710d7-976b-4a65-bad3-091a97aceb00?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3243180/bp-better-messages"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-23T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-28T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13697",
        "datePublished": "2025-03-01T08:23:21.239Z",
        "dateReserved": "2025-01-23T23:19:17.165Z",
        "dateUpdated": "2026-04-08T17:17:25.770Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13611 (GCVE-0-2024-13611)

    Vulnerability from nvd – Published: 2025-03-01 08:23 – Updated: 2026-04-08 17:10
    VLAI
    Title
    Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
    Summary
    The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13611",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T20:54:47.300239Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T20:56:28.933Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Better Messages \u2013 Live Chat, Chat Rooms, Real-Time Messaging \u0026 Private Messages",
              "vendor": "wordplus",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the \u0027bp-better-messages\u0027 directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:54.150Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/997918b9-2ccd-413e-9df2-d24bc3820ba1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/addons/files.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3228957/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-28T19:31:16.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13611",
        "datePublished": "2025-03-01T08:23:20.219Z",
        "dateReserved": "2025-01-21T23:49:54.015Z",
        "dateUpdated": "2026-04-08T17:10:54.150Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13612 (GCVE-0-2024-13612)

    Vulnerability from nvd – Published: 2025-02-01 12:21 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Credits
    Bassem Essam
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13612",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T16:07:36.240513Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T16:36:36.715Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Better Messages \u2013 Live Chat, Chat Rooms, Real-Time Messaging \u0026 Private Messages",
              "vendor": "wordplus",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bassem Essam"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027better_messages_live_chat_button\u0027 shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:13.435Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/169a857f-1ae0-40f6-8a34-10c573af59c5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L125"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L127"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3228965/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13612",
        "datePublished": "2025-02-01T12:21:30.754Z",
        "dateReserved": "2025-01-22T00:01:39.324Z",
        "dateUpdated": "2026-04-08T16:37:13.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49168 (GCVE-0-2023-49168)

    Vulnerability from nvd – Published: 2023-12-14 14:49 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress BP Better Messages Plugin <= 2.4.0 is vulnerable to Cross Site Scripting (XSS)
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Credits
    Rafshanzani Suhada (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:46:29.293Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "bp-better-messages",
              "product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
              "vendor": "WordPlus",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.4.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.4.0",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rafshanzani Suhada (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.\u003cp\u003eThis issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:56.233Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a02.4.1 or a higher version."
                }
              ],
              "value": "Update to\u00a02.4.1 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress BP Better Messages Plugin \u003c= 2.4.0 is vulnerable to Cross Site Scripting (XSS)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49168",
        "datePublished": "2023-12-14T14:49:33.109Z",
        "dateReserved": "2023-11-22T23:36:21.489Z",
        "dateUpdated": "2026-04-28T16:08:56.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-41609 (GCVE-0-2022-41609)

    Vulnerability from nvd – Published: 2022-11-18 23:18 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability
    Summary
    Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.10.68 , ≤ 1.9.10.68 (custom)
    Create a notification for this product.
    Date Public
    2022-10-21 00:00
    Credits
    Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:49:43.313Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41609",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:19:39.403186Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T19:49:32.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.10.68",
                  "status": "affected",
                  "version": "\u003c= 1.9.10.68",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-10-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:49.188Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.10.69 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-41609",
        "datePublished": "2022-11-18T23:18:50.883Z",
        "dateReserved": "2022-09-27T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:49.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-40216 (GCVE-0-2022-40216)

    Vulnerability from nvd – Published: 2022-11-18 22:33 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability
    Summary
    Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Bypass
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.10.69 , ≤ 1.9.10.69 (custom)
    Create a notification for this product.
    Date Public
    2022-11-09 00:00
    Credits
    Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:14:39.861Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-40216",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:19:42.578371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T19:49:49.960Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.10.69",
                  "status": "affected",
                  "version": "\u003c= 1.9.10.69",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-11-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin \u003c= 1.9.10.69 on WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Bypass",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:47.971Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.10.71 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-40216",
        "datePublished": "2022-11-18T22:33:03.687Z",
        "dateReserved": "2022-09-27T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:47.971Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-36389 (GCVE-0-2022-36389)

    Vulnerability from nvd – Published: 2022-08-23 15:48 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.9.148 , ≤ 1.9.9.148 (custom)
    Create a notification for this product.
    Date Public
    2022-01-18 00:00
    Credits
    Vulnerability discovered by Vlad Vector (Patchstack)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:00:04.391Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36389",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:26:25.861424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T20:10:17.167Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.9.148",
                  "status": "affected",
                  "version": "\u003c= 1.9.9.148",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Vlad Vector (Patchstack)"
            }
          ],
          "datePublic": "2022-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:45.849Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.9.149 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "audit@patchstack.com",
              "DATE_PUBLIC": "2022-01-18T08:45:00.000Z",
              "ID": "CVE-2022-36389",
              "STATE": "PUBLIC",
              "TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Better Messages (WordPress plugin)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "\u003c= 1.9.9.148",
                                "version_value": "1.9.9.148"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WordPlus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Vulnerability discovered by Vlad Vector (Patchstack)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/bp-better-messages/#developers",
                  "refsource": "CONFIRM",
                  "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
                },
                {
                  "name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2",
                  "refsource": "CONFIRM",
                  "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to 1.9.9.149 or higher version."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-36389",
        "datePublished": "2022-08-23T15:48:47.656Z",
        "dateReserved": "2022-07-22T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:45.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-33142 (GCVE-0-2022-33142)

    Vulnerability from nvd – Published: 2022-08-23 15:46 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
    Summary
    Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Denial Of Service (DoS)
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.10.57 , ≤ 1.9.10.57 (custom)
    Create a notification for this product.
    Date Public
    2022-08-22 00:00
    Credits
    Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T08:01:20.103Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-33142",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:26:59.408906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T20:11:55.370Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.10.57",
                  "status": "affected",
                  "version": "\u003c= 1.9.10.57",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-08-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial Of Service (DoS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:43.901Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.10.58 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "audit@patchstack.com",
              "DATE_PUBLIC": "2022-08-22T07:36:00.000Z",
              "ID": "CVE-2022-33142",
              "STATE": "PUBLIC",
              "TITLE": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Better Messages (WordPress plugin)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "\u003c= 1.9.10.57",
                                "version_value": "1.9.10.57"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WordPlus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial Of Service (DoS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/bp-better-messages/#developers",
                  "refsource": "CONFIRM",
                  "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
                },
                {
                  "name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability",
                  "refsource": "CONFIRM",
                  "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to 1.9.10.58 or higher version."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-33142",
        "datePublished": "2022-08-23T15:46:18.683Z",
        "dateReserved": "2022-07-22T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:43.901Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-29454 (GCVE-0-2022-29454)

    Vulnerability from nvd – Published: 2022-07-20 18:36 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.9.148 , ≤ 1.9.9.148 (custom)
    Create a notification for this product.
    Date Public
    2022-01-18 00:00
    Credits
    Vulnerability discovered by Roldan Brandon (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:26:05.159Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-29454",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:28:31.712613Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T20:17:45.347Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.9.148",
                  "status": "affected",
                  "version": "\u003c= 1.9.9.148",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:42.951Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.9.149 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "audit@patchstack.com",
              "DATE_PUBLIC": "2022-01-18T13:40:00.000Z",
              "ID": "CVE-2022-29454",
              "STATE": "PUBLIC",
              "TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Better Messages (WordPress plugin)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "\u003c= 1.9.9.148",
                                "version_value": "1.9.9.148"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WordPlus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/bp-better-messages/#developers",
                  "refsource": "CONFIRM",
                  "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
                },
                {
                  "name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability",
                  "refsource": "CONFIRM",
                  "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to 1.9.9.149 or higher version."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-29454",
        "datePublished": "2022-07-20T18:36:46.390Z",
        "dateReserved": "2022-04-18T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:42.951Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-24809 (GCVE-0-2021-24809)

    Vulnerability from nvd – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
    VLAI
    Title
    BP Better Messages < 1.9.9.41 - Multiple CSRF
    Summary
    The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions
    Severity
    No CVSS data available.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown BP Better Messages Affected: 1.9.9.41 , < 1.9.9.41 (custom)
    Create a notification for this product.
    Credits
    Brandon Roldan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:42:17.375Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BP Better Messages",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.9.9.41",
                  "status": "affected",
                  "version": "1.9.9.41",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Brandon Roldan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T08:46:30.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24809",
              "STATE": "PUBLIC",
              "TITLE": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BP Better Messages",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.9.9.41",
                                "version_value": "1.9.9.41"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Brandon Roldan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24809",
        "datePublished": "2021-11-01T08:46:30.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:42:17.375Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24808 (GCVE-0-2021-24808)

    Vulnerability from nvd – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
    VLAI
    Title
    BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
    Summary
    The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown BP Better Messages Affected: 1.9.9.41 , < 1.9.9.41 (custom)
    Create a notification for this product.
    Credits
    Brandon Roldan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:42:17.339Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BP Better Messages",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.9.9.41",
                  "status": "affected",
                  "version": "1.9.9.41",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Brandon Roldan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T08:46:29.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24808",
              "STATE": "PUBLIC",
              "TITLE": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BP Better Messages",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.9.9.41",
                                "version_value": "1.9.9.41"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Brandon Roldan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24808",
        "datePublished": "2021-11-01T08:46:29.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:42:17.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-13697 (GCVE-0-2024-13697)

    Vulnerability from cvelistv5 – Published: 2025-03-01 08:23 – Updated: 2026-04-08 17:17
    VLAI
    Title
    Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links
    Summary
    The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the 'nice_links'. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the "Enable link previews" to be enabled (default).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T20:53:23.554012Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T20:56:21.813Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Better Messages \u2013 Live Chat, Chat Rooms, Real-Time Messaging \u0026 Private Messages",
              "vendor": "wordplus",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the \u0027nice_links\u0027. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the \"Enable link previews\" to be enabled (default)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:25.770Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b67710d7-976b-4a65-bad3-091a97aceb00?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3243180/bp-better-messages"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-23T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-28T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13697",
        "datePublished": "2025-03-01T08:23:21.239Z",
        "dateReserved": "2025-01-23T23:19:17.165Z",
        "dateUpdated": "2026-04-08T17:17:25.770Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13611 (GCVE-0-2024-13611)

    Vulnerability from cvelistv5 – Published: 2025-03-01 08:23 – Updated: 2026-04-08 17:10
    VLAI
    Title
    Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
    Summary
    The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13611",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T20:54:47.300239Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T20:56:28.933Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Better Messages \u2013 Live Chat, Chat Rooms, Real-Time Messaging \u0026 Private Messages",
              "vendor": "wordplus",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the \u0027bp-better-messages\u0027 directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:54.150Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/997918b9-2ccd-413e-9df2-d24bc3820ba1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/addons/files.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3228957/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-28T19:31:16.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13611",
        "datePublished": "2025-03-01T08:23:20.219Z",
        "dateReserved": "2025-01-21T23:49:54.015Z",
        "dateUpdated": "2026-04-08T17:10:54.150Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13612 (GCVE-0-2024-13612)

    Vulnerability from cvelistv5 – Published: 2025-02-01 12:21 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Credits
    Bassem Essam
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13612",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T16:07:36.240513Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T16:36:36.715Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Better Messages \u2013 Live Chat, Chat Rooms, Real-Time Messaging \u0026 Private Messages",
              "vendor": "wordplus",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bassem Essam"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027better_messages_live_chat_button\u0027 shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:13.435Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/169a857f-1ae0-40f6-8a34-10c573af59c5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L125"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L127"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3228965/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13612",
        "datePublished": "2025-02-01T12:21:30.754Z",
        "dateReserved": "2025-01-22T00:01:39.324Z",
        "dateUpdated": "2026-04-08T16:37:13.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49168 (GCVE-0-2023-49168)

    Vulnerability from cvelistv5 – Published: 2023-12-14 14:49 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress BP Better Messages Plugin <= 2.4.0 is vulnerable to Cross Site Scripting (XSS)
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Credits
    Rafshanzani Suhada (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:46:29.293Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "bp-better-messages",
              "product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
              "vendor": "WordPlus",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.4.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.4.0",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rafshanzani Suhada (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.\u003cp\u003eThis issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:56.233Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a02.4.1 or a higher version."
                }
              ],
              "value": "Update to\u00a02.4.1 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress BP Better Messages Plugin \u003c= 2.4.0 is vulnerable to Cross Site Scripting (XSS)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49168",
        "datePublished": "2023-12-14T14:49:33.109Z",
        "dateReserved": "2023-11-22T23:36:21.489Z",
        "dateUpdated": "2026-04-28T16:08:56.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-41609 (GCVE-0-2022-41609)

    Vulnerability from cvelistv5 – Published: 2022-11-18 23:18 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability
    Summary
    Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.10.68 , ≤ 1.9.10.68 (custom)
    Create a notification for this product.
    Date Public
    2022-10-21 00:00
    Credits
    Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:49:43.313Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41609",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:19:39.403186Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T19:49:32.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.10.68",
                  "status": "affected",
                  "version": "\u003c= 1.9.10.68",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-10-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:49.188Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.10.69 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-41609",
        "datePublished": "2022-11-18T23:18:50.883Z",
        "dateReserved": "2022-09-27T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:49.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-40216 (GCVE-0-2022-40216)

    Vulnerability from cvelistv5 – Published: 2022-11-18 22:33 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability
    Summary
    Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Bypass
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.10.69 , ≤ 1.9.10.69 (custom)
    Create a notification for this product.
    Date Public
    2022-11-09 00:00
    Credits
    Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:14:39.861Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-40216",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:19:42.578371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T19:49:49.960Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.10.69",
                  "status": "affected",
                  "version": "\u003c= 1.9.10.69",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-11-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin \u003c= 1.9.10.69 on WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Bypass",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:47.971Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.10.71 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-40216",
        "datePublished": "2022-11-18T22:33:03.687Z",
        "dateReserved": "2022-09-27T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:47.971Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-36389 (GCVE-0-2022-36389)

    Vulnerability from cvelistv5 – Published: 2022-08-23 15:48 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.9.148 , ≤ 1.9.9.148 (custom)
    Create a notification for this product.
    Date Public
    2022-01-18 00:00
    Credits
    Vulnerability discovered by Vlad Vector (Patchstack)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:00:04.391Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36389",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:26:25.861424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T20:10:17.167Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.9.148",
                  "status": "affected",
                  "version": "\u003c= 1.9.9.148",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Vlad Vector (Patchstack)"
            }
          ],
          "datePublic": "2022-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:45.849Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.9.149 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "audit@patchstack.com",
              "DATE_PUBLIC": "2022-01-18T08:45:00.000Z",
              "ID": "CVE-2022-36389",
              "STATE": "PUBLIC",
              "TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Better Messages (WordPress plugin)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "\u003c= 1.9.9.148",
                                "version_value": "1.9.9.148"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WordPlus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Vulnerability discovered by Vlad Vector (Patchstack)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/bp-better-messages/#developers",
                  "refsource": "CONFIRM",
                  "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
                },
                {
                  "name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2",
                  "refsource": "CONFIRM",
                  "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to 1.9.9.149 or higher version."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-36389",
        "datePublished": "2022-08-23T15:48:47.656Z",
        "dateReserved": "2022-07-22T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:45.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-33142 (GCVE-0-2022-33142)

    Vulnerability from cvelistv5 – Published: 2022-08-23 15:46 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
    Summary
    Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Denial Of Service (DoS)
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.10.57 , ≤ 1.9.10.57 (custom)
    Create a notification for this product.
    Date Public
    2022-08-22 00:00
    Credits
    Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T08:01:20.103Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-33142",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:26:59.408906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T20:11:55.370Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.10.57",
                  "status": "affected",
                  "version": "\u003c= 1.9.10.57",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-08-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial Of Service (DoS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:43.901Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.10.58 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "audit@patchstack.com",
              "DATE_PUBLIC": "2022-08-22T07:36:00.000Z",
              "ID": "CVE-2022-33142",
              "STATE": "PUBLIC",
              "TITLE": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Better Messages (WordPress plugin)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "\u003c= 1.9.10.57",
                                "version_value": "1.9.10.57"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WordPlus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial Of Service (DoS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/bp-better-messages/#developers",
                  "refsource": "CONFIRM",
                  "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
                },
                {
                  "name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability",
                  "refsource": "CONFIRM",
                  "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to 1.9.10.58 or higher version."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-33142",
        "datePublished": "2022-08-23T15:46:18.683Z",
        "dateReserved": "2022-07-22T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:43.901Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-29454 (GCVE-0-2022-29454)

    Vulnerability from cvelistv5 – Published: 2022-07-20 18:36 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    WordPlus Better Messages (WordPress plugin) Affected: <= 1.9.9.148 , ≤ 1.9.9.148 (custom)
    Create a notification for this product.
    Date Public
    2022-01-18 00:00
    Credits
    Vulnerability discovered by Roldan Brandon (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:26:05.159Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-29454",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:28:31.712613Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T20:17:45.347Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Better Messages (WordPress plugin)",
              "vendor": "WordPlus",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.9.148",
                  "status": "affected",
                  "version": "\u003c= 1.9.9.148",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:42.951Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to 1.9.9.149 or higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "audit@patchstack.com",
              "DATE_PUBLIC": "2022-01-18T13:40:00.000Z",
              "ID": "CVE-2022-29454",
              "STATE": "PUBLIC",
              "TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Better Messages (WordPress plugin)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "\u003c= 1.9.9.148",
                                "version_value": "1.9.9.148"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WordPlus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/bp-better-messages/#developers",
                  "refsource": "CONFIRM",
                  "url": "https://wordpress.org/plugins/bp-better-messages/#developers"
                },
                {
                  "name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability",
                  "refsource": "CONFIRM",
                  "url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to 1.9.9.149 or higher version."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-29454",
        "datePublished": "2022-07-20T18:36:46.390Z",
        "dateReserved": "2022-04-18T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:42.951Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-24809 (GCVE-0-2021-24809)

    Vulnerability from cvelistv5 – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
    VLAI
    Title
    BP Better Messages < 1.9.9.41 - Multiple CSRF
    Summary
    The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions
    Severity
    No CVSS data available.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown BP Better Messages Affected: 1.9.9.41 , < 1.9.9.41 (custom)
    Create a notification for this product.
    Credits
    Brandon Roldan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:42:17.375Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BP Better Messages",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.9.9.41",
                  "status": "affected",
                  "version": "1.9.9.41",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Brandon Roldan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T08:46:30.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24809",
              "STATE": "PUBLIC",
              "TITLE": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BP Better Messages",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.9.9.41",
                                "version_value": "1.9.9.41"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Brandon Roldan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24809",
        "datePublished": "2021-11-01T08:46:30.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:42:17.375Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24808 (GCVE-0-2021-24808)

    Vulnerability from cvelistv5 – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
    VLAI
    Title
    BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
    Summary
    The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown BP Better Messages Affected: 1.9.9.41 , < 1.9.9.41 (custom)
    Create a notification for this product.
    Credits
    Brandon Roldan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:42:17.339Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BP Better Messages",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.9.9.41",
                  "status": "affected",
                  "version": "1.9.9.41",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Brandon Roldan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T08:46:29.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24808",
              "STATE": "PUBLIC",
              "TITLE": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BP Better Messages",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.9.9.41",
                                "version_value": "1.9.9.41"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Brandon Roldan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24808",
        "datePublished": "2021-11-01T08:46:29.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:42:17.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }