WordPress Plugin Vulnerabilities

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss < 2.7.5 - Unauthenticated Limited Server-Side Request Forgery in nice_links

Description

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the 'nice_links'. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the "Enable link previews" to be enabled (default).

Affects Plugins

Plugin icon
bp-better-messages
Fixed in 2.7.5

References

CVE
CVE-2024-13697
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b67710d7-976b-4a65-bad3-091a97aceb00

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
5d2007b0-1d4f-4401-82c9-998c6b2890f5

Timeline

Publicly Published
2025-02-28 (about 1 year ago)
Added
2025-02-28 (about 1 year ago)
Last Updated
2025-03-01 (about 1 year ago)

Other

Published
Title
Published
2025-08-21
Title
WP Crontrol - 1.17.0 - 1.19.1 - Authenticated (Administrator+) Blind Server-Side Request Forgery
Published
2025-06-05
Title
SocialMark <= 2.0.7 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2023-07-26
Title
Assistant < 1.4.4 - Editor+ SSRF
Published
2025-10-22
Title
MxChat – AI Chatbot for WordPress < 2.4.7 - Unauthenticated Blind Server-Side Request Forgery
Published
2025-02-17
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.4.3 - Authenticated (Subscriber+) Limited Server-Side Request Forgery