
CVE-2024-13611 – Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
https://notcve.org/view.php?id=CVE-2024-13611
28 Feb 2025 — The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages. • https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/addons/files.php • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2024-13697 – Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links
https://notcve.org/view.php?id=CVE-2024-13697
28 Feb 2025 — The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the 'nice_links'. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the "Enable link previews" to be enabled (defau... • https://plugins.trac.wordpress.org/changeset/3243180/bp-better-messages • CWE-918: Server-Side Request Forgery (SSRF) •

CVE-2024-13612 – Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-13612
31 Jan 2025 — The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenev... • https://plugins.trac.wordpress.org/browser/bp-better-messages/trunk/inc/shortcodes.php#L125 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2023-49168 – WordPress BP Better Messages Plugin <= 2.4.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49168
29 Nov 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Coss-Site Scripting') en WordPlus Better Messages – Live Chat ... • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2022-40216 – WordPress Better Messages plugin <= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-40216
09 Nov 2022 — Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress. Vulnerabilidad de omisión de bloqueo de mensajería autenticada (con permisos de suscriptor o superiores) en el complemento Better Messages en versiones <= 1.9.10.69 en WordPress. The Better Messages plugin for WordPress is vulnerable to Authorization Bypass resulting in a block bypass on messaging controls in versions up to, and including, 1.9.10.68. This is due to insufficient or broken controls... • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve • CWE-284: Improper Access Control CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2022-41609 – WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-41609
21 Oct 2022 — Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress. Vulnerabilidad de Server-Side Request Forgery (SSRF) autenticada (con privilegios de suscriptor o superior) en el complemento Better Messages 1.9.10.68 en WordPress. The Better Messages plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to 1.9.10.68. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to interact with... • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •

CVE-2022-33142 – WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
https://notcve.org/view.php?id=CVE-2022-33142
22 Aug 2022 — Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress. Una vulnerabilidad de Denegación de Servicio (DoS) autenticado (subscriber+) en el plugin WordPlus WordPress Better Messages versiones anteriores a 1.9.10.57 incluyéndola, en WordPress. The Better Messages plugin for WordPress is vulnerable to Resource Exhaustion in versions up to, and including, 1.9.10.57 due to not limiting the size of individual messages. This allows a... • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability • CWE-400: Uncontrolled Resource Consumption •

CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •

CVE-2022-36389 – WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-36389
18 Jan 2022 — Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin WordPlus Better Messages versiones anteriores a 1.9.9.148 incluyéndola, en WordPress. The Better Messages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.9.148. This is due to missing or incorrect nonce validation on the bp_messages_favorite action. This makes it possible ... • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2022-29454 – WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-29454
18 Jan 2022 — Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin WordPlus Better Messages versiones anteriores a 1.9.9.148 incluyéndola, en WordPress permite a atacantes subir archivos. El archivo adjunto a los mensajes debe estar activado The Better Messages plugin for WordPress is vulnerable to Cross-Site Requ... • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability • CWE-352: Cross-Site Request Forgery (CSRF) •