Search criteria
22 vulnerabilities found for better_messages by wordplus
CVE-2024-13697 (GCVE-0-2024-13697)
Vulnerability from nvd – Published: 2025-03-01 08:23 – Updated: 2025-03-03 20:56
VLAI?
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links
Summary
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the 'nice_links'. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the "Enable link previews" to be enabled (default).
Severity ?
4.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordplus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
* , ≤ 2.7.4
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:53:23.554012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:56:21.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "wordplus",
"versions": [
{
"lessThanOrEqual": "2.7.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the \u0027nice_links\u0027. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the \"Enable link previews\" to be enabled (default)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-01T08:23:21.239Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b67710d7-976b-4a65-bad3-091a97aceb00?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3243180/bp-better-messages"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-23T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-02-28T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13697",
"datePublished": "2025-03-01T08:23:21.239Z",
"dateReserved": "2025-01-23T23:19:17.165Z",
"dateUpdated": "2025-03-03T20:56:21.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13611 (GCVE-0-2024-13611)
Vulnerability from nvd – Published: 2025-03-01 08:23 – Updated: 2025-03-03 20:56
VLAI?
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Summary
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordplus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
* , ≤ 2.6.9
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:54:47.300239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:56:28.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "wordplus",
"versions": [
{
"lessThanOrEqual": "2.6.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the \u0027bp-better-messages\u0027 directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-01T08:23:20.219Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/997918b9-2ccd-413e-9df2-d24bc3820ba1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/addons/files.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3228957/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-28T19:31:16.000+00:00",
"value": "Disclosed"
}
],
"title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13611",
"datePublished": "2025-03-01T08:23:20.219Z",
"dateReserved": "2025-01-21T23:49:54.015Z",
"dateUpdated": "2025-03-03T20:56:28.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13612 (GCVE-0-2024-13612)
Vulnerability from nvd – Published: 2025-02-01 12:21 – Updated: 2025-02-03 16:36
VLAI?
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordplus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
* , ≤ 2.6.9
(semver)
|
Credits
Bassem Essam
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:07:36.240513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:36:36.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "wordplus",
"versions": [
{
"lessThanOrEqual": "2.6.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bassem Essam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027better_messages_live_chat_button\u0027 shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T12:21:30.754Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/169a857f-1ae0-40f6-8a34-10c573af59c5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L84"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L125"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L127"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3228965/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13612",
"datePublished": "2025-02-01T12:21:30.754Z",
"dateReserved": "2025-01-22T00:01:39.324Z",
"dateUpdated": "2025-02-03T16:36:36.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49168 (GCVE-0-2023-49168)
Vulnerability from nvd – Published: 2023-12-14 14:49 – Updated: 2024-08-02 21:46
VLAI?
Title
WordPress BP Better Messages Plugin <= 2.4.0 is vulnerable to Cross Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
n/a , ≤ 2.4.0
(custom)
|
Credits
Rafshanzani Suhada (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bp-better-messages",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "WordPlus",
"versions": [
{
"changes": [
{
"at": "2.4.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafshanzani Suhada (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.\u003cp\u003eThis issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T14:49:33.109Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.4.1 or a higher version."
}
],
"value": "Update to\u00a02.4.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress BP Better Messages Plugin \u003c= 2.4.0 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-49168",
"datePublished": "2023-12-14T14:49:33.109Z",
"dateReserved": "2023-11-22T23:36:21.489Z",
"dateUpdated": "2024-08-02T21:46:29.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41609 (GCVE-0-2022-41609)
Vulnerability from nvd – Published: 2022-11-18 23:18 – Updated: 2025-02-20 19:49
VLAI?
Title
WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability
Summary
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress.
Severity ?
6.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.10.68 , ≤ 1.9.10.68
(custom)
|
Credits
Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:19:39.403186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:49:32.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.10.68",
"status": "affected",
"version": "\u003c= 1.9.10.68",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"datePublic": "2022-10-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.10.69 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-41609",
"datePublished": "2022-11-18T23:18:50.883Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:49:32.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40216 (GCVE-0-2022-40216)
Vulnerability from nvd – Published: 2022-11-18 22:33 – Updated: 2025-02-20 19:49
VLAI?
Title
WordPress Better Messages plugin <= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability
Summary
Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress.
Severity ?
4.3 (Medium)
CWE
- Bypass
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.10.69 , ≤ 1.9.10.69
(custom)
|
Credits
Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.861Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:19:42.578371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:49:49.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.10.69",
"status": "affected",
"version": "\u003c= 1.9.10.69",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"datePublic": "2022-11-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin \u003c= 1.9.10.69 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.10.71 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40216",
"datePublished": "2022-11-18T22:33:03.687Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:49:49.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36389 (GCVE-0-2022-36389)
Vulnerability from nvd – Published: 2022-08-23 15:48 – Updated: 2025-02-20 20:10
VLAI?
Title
WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.9.148 , ≤ 1.9.9.148
(custom)
|
Credits
Vulnerability discovered by Vlad Vector (Patchstack)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:26:25.861424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:10:17.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.9.148",
"status": "affected",
"version": "\u003c= 1.9.9.148",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"datePublic": "2022-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:48:47.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-18T08:45:00.000Z",
"ID": "CVE-2022-36389",
"STATE": "PUBLIC",
"TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Better Messages (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.9.9.148",
"version_value": "1.9.9.148"
}
]
}
}
]
},
"vendor_name": "WordPlus"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/bp-better-messages/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36389",
"datePublished": "2022-08-23T15:48:47.656Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:10:17.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33142 (GCVE-0-2022-33142)
Vulnerability from nvd – Published: 2022-08-23 15:46 – Updated: 2025-02-20 20:11
VLAI?
Title
WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
Summary
Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress.
Severity ?
7.7 (High)
CWE
- Denial Of Service (DoS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.10.57 , ≤ 1.9.10.57
(custom)
|
Credits
Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:20.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-33142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:26:59.408906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:11:55.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.10.57",
"status": "affected",
"version": "\u003c= 1.9.10.57",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"datePublic": "2022-08-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial Of Service (DoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:46:18.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.10.58 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-22T07:36:00.000Z",
"ID": "CVE-2022-33142",
"STATE": "PUBLIC",
"TITLE": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Better Messages (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.9.10.57",
"version_value": "1.9.10.57"
}
]
}
}
]
},
"vendor_name": "WordPlus"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial Of Service (DoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/bp-better-messages/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.9.10.58 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-33142",
"datePublished": "2022-08-23T15:46:18.683Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:11:55.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29454 (GCVE-0-2022-29454)
Vulnerability from nvd – Published: 2022-07-20 18:36 – Updated: 2025-02-20 20:17
VLAI?
Title
WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.9.148 , ≤ 1.9.9.148
(custom)
|
Credits
Vulnerability discovered by Roldan Brandon (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:28:31.712613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:17:45.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.9.148",
"status": "affected",
"version": "\u003c= 1.9.9.148",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
}
],
"datePublic": "2022-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T18:36:46.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-18T13:40:00.000Z",
"ID": "CVE-2022-29454",
"STATE": "PUBLIC",
"TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Better Messages (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.9.9.148",
"version_value": "1.9.9.148"
}
]
}
}
]
},
"vendor_name": "WordPlus"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/bp-better-messages/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-29454",
"datePublished": "2022-07-20T18:36:46.390Z",
"dateReserved": "2022-04-18T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:17:45.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24809 (GCVE-0-2021-24809)
Vulnerability from nvd – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
BP Better Messages < 1.9.9.41 - Multiple CSRF
Summary
The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | BP Better Messages |
Affected:
1.9.9.41 , < 1.9.9.41
(custom)
|
Credits
Brandon Roldan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BP Better Messages",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.9.9.41",
"status": "affected",
"version": "1.9.9.41",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:30",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24809",
"STATE": "PUBLIC",
"TITLE": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BP Better Messages",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9.9.41",
"version_value": "1.9.9.41"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24809",
"datePublished": "2021-11-01T08:46:30",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24808 (GCVE-0-2021-24808)
Vulnerability from nvd – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
Summary
The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | BP Better Messages |
Affected:
1.9.9.41 , < 1.9.9.41
(custom)
|
Credits
Brandon Roldan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BP Better Messages",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.9.9.41",
"status": "affected",
"version": "1.9.9.41",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:29",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24808",
"STATE": "PUBLIC",
"TITLE": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BP Better Messages",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9.9.41",
"version_value": "1.9.9.41"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24808",
"datePublished": "2021-11-01T08:46:29",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13697 (GCVE-0-2024-13697)
Vulnerability from cvelistv5 – Published: 2025-03-01 08:23 – Updated: 2025-03-03 20:56
VLAI?
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links
Summary
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the 'nice_links'. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the "Enable link previews" to be enabled (default).
Severity ?
4.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordplus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
* , ≤ 2.7.4
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:53:23.554012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:56:21.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "wordplus",
"versions": [
{
"lessThanOrEqual": "2.7.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the \u0027nice_links\u0027. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the \"Enable link previews\" to be enabled (default)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-01T08:23:21.239Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b67710d7-976b-4a65-bad3-091a97aceb00?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3243180/bp-better-messages"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-23T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-02-28T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13697",
"datePublished": "2025-03-01T08:23:21.239Z",
"dateReserved": "2025-01-23T23:19:17.165Z",
"dateUpdated": "2025-03-03T20:56:21.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13611 (GCVE-0-2024-13611)
Vulnerability from cvelistv5 – Published: 2025-03-01 08:23 – Updated: 2025-03-03 20:56
VLAI?
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Summary
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordplus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
* , ≤ 2.6.9
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:54:47.300239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:56:28.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "wordplus",
"versions": [
{
"lessThanOrEqual": "2.6.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the \u0027bp-better-messages\u0027 directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-01T08:23:20.219Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/997918b9-2ccd-413e-9df2-d24bc3820ba1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/addons/files.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3228957/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-28T19:31:16.000+00:00",
"value": "Disclosed"
}
],
"title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13611",
"datePublished": "2025-03-01T08:23:20.219Z",
"dateReserved": "2025-01-21T23:49:54.015Z",
"dateUpdated": "2025-03-03T20:56:28.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13612 (GCVE-0-2024-13612)
Vulnerability from cvelistv5 – Published: 2025-02-01 12:21 – Updated: 2025-02-03 16:36
VLAI?
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordplus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
* , ≤ 2.6.9
(semver)
|
Credits
Bassem Essam
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:07:36.240513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:36:36.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "wordplus",
"versions": [
{
"lessThanOrEqual": "2.6.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bassem Essam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027better_messages_live_chat_button\u0027 shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T12:21:30.754Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/169a857f-1ae0-40f6-8a34-10c573af59c5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L84"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L125"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L127"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3228965/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss \u003c= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13612",
"datePublished": "2025-02-01T12:21:30.754Z",
"dateReserved": "2025-01-22T00:01:39.324Z",
"dateUpdated": "2025-02-03T16:36:36.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49168 (GCVE-0-2023-49168)
Vulnerability from cvelistv5 – Published: 2023-12-14 14:49 – Updated: 2024-08-02 21:46
VLAI?
Title
WordPress BP Better Messages Plugin <= 2.4.0 is vulnerable to Cross Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss |
Affected:
n/a , ≤ 2.4.0
(custom)
|
Credits
Rafshanzani Suhada (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bp-better-messages",
"product": "Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss",
"vendor": "WordPlus",
"versions": [
{
"changes": [
{
"at": "2.4.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafshanzani Suhada (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.\u003cp\u003eThis issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPlus Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages \u2013 Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T14:49:33.109Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.4.1 or a higher version."
}
],
"value": "Update to\u00a02.4.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress BP Better Messages Plugin \u003c= 2.4.0 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-49168",
"datePublished": "2023-12-14T14:49:33.109Z",
"dateReserved": "2023-11-22T23:36:21.489Z",
"dateUpdated": "2024-08-02T21:46:29.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41609 (GCVE-0-2022-41609)
Vulnerability from cvelistv5 – Published: 2022-11-18 23:18 – Updated: 2025-02-20 19:49
VLAI?
Title
WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability
Summary
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress.
Severity ?
6.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.10.68 , ≤ 1.9.10.68
(custom)
|
Credits
Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:19:39.403186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:49:32.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.10.68",
"status": "affected",
"version": "\u003c= 1.9.10.68",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"datePublic": "2022-10-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.10.69 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-41609",
"datePublished": "2022-11-18T23:18:50.883Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:49:32.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40216 (GCVE-0-2022-40216)
Vulnerability from cvelistv5 – Published: 2022-11-18 22:33 – Updated: 2025-02-20 19:49
VLAI?
Title
WordPress Better Messages plugin <= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability
Summary
Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress.
Severity ?
4.3 (Medium)
CWE
- Bypass
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.10.69 , ≤ 1.9.10.69
(custom)
|
Credits
Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.861Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:19:42.578371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:49:49.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.10.69",
"status": "affected",
"version": "\u003c= 1.9.10.69",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"datePublic": "2022-11-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin \u003c= 1.9.10.69 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.10.71 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40216",
"datePublished": "2022-11-18T22:33:03.687Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:49:49.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36389 (GCVE-0-2022-36389)
Vulnerability from cvelistv5 – Published: 2022-08-23 15:48 – Updated: 2025-02-20 20:10
VLAI?
Title
WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.9.148 , ≤ 1.9.9.148
(custom)
|
Credits
Vulnerability discovered by Vlad Vector (Patchstack)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:26:25.861424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:10:17.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.9.148",
"status": "affected",
"version": "\u003c= 1.9.9.148",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"datePublic": "2022-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:48:47.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-18T08:45:00.000Z",
"ID": "CVE-2022-36389",
"STATE": "PUBLIC",
"TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Better Messages (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.9.9.148",
"version_value": "1.9.9.148"
}
]
}
}
]
},
"vendor_name": "WordPlus"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/bp-better-messages/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36389",
"datePublished": "2022-08-23T15:48:47.656Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:10:17.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33142 (GCVE-0-2022-33142)
Vulnerability from cvelistv5 – Published: 2022-08-23 15:46 – Updated: 2025-02-20 20:11
VLAI?
Title
WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
Summary
Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress.
Severity ?
7.7 (High)
CWE
- Denial Of Service (DoS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.10.57 , ≤ 1.9.10.57
(custom)
|
Credits
Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:20.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-33142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:26:59.408906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:11:55.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.10.57",
"status": "affected",
"version": "\u003c= 1.9.10.57",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"datePublic": "2022-08-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial Of Service (DoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:46:18.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.10.58 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-22T07:36:00.000Z",
"ID": "CVE-2022-33142",
"STATE": "PUBLIC",
"TITLE": "WordPress Better Messages plugin \u003c= 1.9.10.57 - Denial Of Service (DoS) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Better Messages (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.9.10.57",
"version_value": "1.9.10.57"
}
]
}
}
]
},
"vendor_name": "WordPlus"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Dhakal Ananda (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin \u003c= 1.9.10.57 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial Of Service (DoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/bp-better-messages/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.9.10.58 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-33142",
"datePublished": "2022-08-23T15:46:18.683Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:11:55.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29454 (GCVE-0-2022-29454)
Vulnerability from cvelistv5 – Published: 2022-07-20 18:36 – Updated: 2025-02-20 20:17
VLAI?
Title
WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPlus | Better Messages (WordPress plugin) |
Affected:
<= 1.9.9.148 , ≤ 1.9.9.148
(custom)
|
Credits
Vulnerability discovered by Roldan Brandon (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:28:31.712613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:17:45.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Better Messages (WordPress plugin)",
"vendor": "WordPlus",
"versions": [
{
"lessThanOrEqual": "1.9.9.148",
"status": "affected",
"version": "\u003c= 1.9.9.148",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
}
],
"datePublic": "2022-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T18:36:46.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-18T13:40:00.000Z",
"ID": "CVE-2022-29454",
"STATE": "PUBLIC",
"TITLE": "WordPress Better Messages plugin \u003c= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Better Messages (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.9.9.148",
"version_value": "1.9.9.148"
}
]
}
}
]
},
"vendor_name": "WordPlus"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Roldan Brandon (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin \u003c= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/bp-better-messages/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/bp-better-messages/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.9.9.149 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-29454",
"datePublished": "2022-07-20T18:36:46.390Z",
"dateReserved": "2022-04-18T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:17:45.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24809 (GCVE-0-2021-24809)
Vulnerability from cvelistv5 – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
BP Better Messages < 1.9.9.41 - Multiple CSRF
Summary
The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | BP Better Messages |
Affected:
1.9.9.41 , < 1.9.9.41
(custom)
|
Credits
Brandon Roldan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BP Better Messages",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.9.9.41",
"status": "affected",
"version": "1.9.9.41",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:30",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24809",
"STATE": "PUBLIC",
"TITLE": "BP Better Messages \u003c 1.9.9.41 - Multiple CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BP Better Messages",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9.9.41",
"version_value": "1.9.9.41"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24809",
"datePublished": "2021-11-01T08:46:30",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24808 (GCVE-0-2021-24808)
Vulnerability from cvelistv5 – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
Summary
The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | BP Better Messages |
Affected:
1.9.9.41 , < 1.9.9.41
(custom)
|
Credits
Brandon Roldan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BP Better Messages",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.9.9.41",
"status": "affected",
"version": "1.9.9.41",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:29",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24808",
"STATE": "PUBLIC",
"TITLE": "BP Better Messages \u003c 1.9.9.41 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BP Better Messages",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9.9.41",
"version_value": "1.9.9.41"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the \u0027subject\u0027 parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/53ff82ec-00ec-4b20-8f60-db9db8c025b4"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24808",
"datePublished": "2021-11-01T08:46:29",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}