WordPress Plugin Vulnerabilities

BP Better Messages < 2.4.33 - Missing Authorization

Description

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 2.4.32. This is due to the plugin not properly verifying if a user should have access to a chatoom. This makes it possible for unauthenticated attackers to access chat rooms they should not have access to.

Affects Plugins

Plugin icon
bp-better-messages
Fixed in 2.4.33

References

CVE
CVE-2024-32802
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1e6327b0-a047-4f8c-8e95-88f2e4b7089f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
0e92bdbe-1fa2-40e1-b969-08eece948ce3

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2024-02-05
Title
WP Club Manager – WordPress Sports Club Plugin < 2.2.11 - Missing Authorization to Unauthenticated Event Permalink Update
Published
2023-12-21
Title
DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export
Published
2025-03-31
Title
Ni WooCommerce Product Enquiry <= 4.1.8 - Missing Authorization
Published
2024-02-13
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.11.2 - Missing Authorization via pms_stripe_connect_handle_authorization_return
Published
2025-02-17
Title
Affiliate Links: WordPress Plugin for Link Cloaking and Link Management < 3.1.0 - Missing Authorization to Unauthenticated Import/Export and PHP Object Injection