CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49168 – WordPress BP Better Messages Plugin <= 2.4.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49168
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Coss-Site Scripting') en WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss permite Stored XSS. Este problema afecta a Better Messages – Live Chat for WordPress. BuddyPress, PeepSo, Ultimate Member, BuddyBoss: desde n/a hasta 2.4.0. The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40216 – WordPress Better Messages plugin <= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-40216
Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress. Vulnerabilidad de omisión de bloqueo de mensajería autenticada (con permisos de suscriptor o superiores) en el complemento Better Messages en versiones <= 1.9.10.69 en WordPress. The Better Messages plugin for WordPress is vulnerable to Authorization Bypass resulting in a block bypass on messaging controls in versions up to, and including, 1.9.10.68. This is due to insufficient or broken controls in the plugin. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve https://wordpress.org/plugins/bp-better-messages/#developers • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41609 – WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-41609
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress. Vulnerabilidad de Server-Side Request Forgery (SSRF) autenticada (con privilegios de suscriptor o superior) en el complemento Better Messages 1.9.10.68 en WordPress. The Better Messages plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to 1.9.10.68. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to interact with internal network hosts via specially crafted requests and can lead to sensitive information disclosure.. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve https://wordpress.org/plugins/bp-better-messages/#developers • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33142 – WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
https://notcve.org/view.php?id=CVE-2022-33142
Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress. Una vulnerabilidad de Denegación de Servicio (DoS) autenticado (subscriber+) en el plugin WordPlus WordPress Better Messages versiones anteriores a 1.9.10.57 incluyéndola, en WordPress. The Better Messages plugin for WordPress is vulnerable to Resource Exhaustion in versions up to, and including, 1.9.10.57 due to not limiting the size of individual messages. This allows attackers, with subscriber-level access or higher, to exhaust resources on the target server potentially resulting in Denial of Service. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability https://wordpress.org/plugins/bp-better-messages/#developers • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29454 – WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-29454
Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin WordPlus Better Messages versiones anteriores a 1.9.9.148 incluyéndola, en WordPress permite a atacantes subir archivos. El archivo adjunto a los mensajes debe estar activado The Better Messages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 19.9.148. This is due to missing nonce validation on the favorite() function. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability https://wordpress.org/plugins/bp-better-messages/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •