Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss < 2.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | CVE 2024-13612 | Plugin Vulnerabilities

Description

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

bp-better-messages

Fixed in 2.7.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/169a857f-1ae0-40f6-8a34-10c573af59c5

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bassem Essam

Verified

No

WPVDB ID

16f33f37-0180-4b83-9e68-bb71656cff29

Timeline

Publicly Published

2025-01-31 (about 1 year ago)

Added

2025-02-01 (about 1 year ago)

Last Updated

2025-02-01 (about 1 year ago)

Other

Published

Title

Published

2023-02-13

Title

WPaudio MP3 Player <= 4.0.2 - Contributor+ Stored XSS

Published

2022-06-14

Title

Gravity PDF < 6.3.1 - Reflected Cross-Site Scripting

Published

2023-10-02

Title

Swifty Bar, sticky bar by WPGens < 1.2.11 - Admin+ Stored XSS

Published

2024-04-24

Title

PDF Invoices & Packing Slips for WooCommerce < 3.8.1 - Unauthenticated Stored Cross-Site Scripting

Published

2024-11-07

Title

Logo Slider < 4.5.0 - Authenticated (Author+) Stored Cross-Site Scripting