CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24808 – BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24808
04 Oct 2021 — The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue El plugin BP Better Messages de WordPress versiones anteriores a 1.9.9.41, sanea (con sanitize_text_field) pero no escapa el parámetro "subject" antes de devolverlo en un atributo, conllevando un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/views/layout-new.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24809 – BP Better Messages < 1.9.9.41 - Multiple CSRF
https://notcve.org/view.php?id=CVE-2021-24809
04 Oct 2021 — The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions El plugin BP Better Messages de WordPress versiones anteriores a 1.9.9. 41 no comprueba el CSRF en varias... • https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php • CWE-352: Cross-Site Request Forgery (CSRF) •