Server-Side Request Forgery in Better Messages Plugin for WordPress
CVE-2024-13697

4.8MEDIUM

Key Information:

Vendor: WordPress
Status: Better Messages – Live Chat For WordPress, Buddypress, Peepso, Ultimate Member, Buddyboss
Vendor: CVE Published:; 1 March 2025

Summary

The Better Messages plugin for WordPress, which supports features like live chat and user engagement through platforms like BuddyPress and BuddyBoss, has a vulnerability that allows Server-Side Request Forgery (SSRF). This flaw exists in all versions up to and including 2.7.4, where the parameter 'nice_links' can be exploited. An attacker without authentication may exploit this vulnerability to send web requests to internal services, enabling them to fetch or manipulate sensitive information. The risk is aggravated when the 'Enable link previews' option is turned on, as it is by default, highlighting the need for users to promptly update their plugin to safeguard against unauthorized access.

Affected Version(s)

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss * <= 2.7.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3243180/bp-b...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2025
Vulnerability Reserved
Jan 23, 2025

Credit

Tim Coen