WordPress Plugin Vulnerabilities

Better Messages < 1.9.10.69 - Subscriber+ SSRF

Description

The plugin does not validate a parameter before making a request to it, which could allow users with a role as low as subscriber to perform SSRF attacks

Affects Plugins

Plugin icon
bp-better-messages
Fixed in 1.9.10.69

References

CVE
CVE-2022-41609

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Dhakal Ananda
Verified
No
WPVDB ID
213b80a1-6cc5-4b39-b4b3-2c74db6e8e06

Timeline

Publicly Published
2022-10-21 (about 3 years ago)
Added
2022-11-20 (about 3 years ago)
Last Updated
2022-11-20 (about 3 years ago)

Other

Published
Title
Published
2025-09-22
Title
Publitio < 2.2.2 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2025-06-19
Title
WPThumb <= 0.10 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2025-12-04
Title
Time Sheets <= 2.1.3 - Use of Known Vulnerable Component
Published
2025-06-05
Title
SocialMark <= 2.0.7 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-12-18
Title
Broken Link Checker | Finder < 2.5.1 - Authenticated (Author+) Blind Server-Side Request Forgery