CVE-2024-13611
Published: 01 March 2025
Description
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.
Security Summary
CVE-2024-13611 is a sensitive information exposure vulnerability (CWE-200) in the Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress, affecting all versions up to and including 2.6.9. The flaw occurs via the 'bp-better-messages' directory, where sensitive data is stored insecurely in the /wp-content/uploads/bp-better-messages directory, which can contain file attachments included in chat messages.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, no privileges, and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation enables attackers to extract the sensitive data from the exposed directory, resulting in high confidentiality impact without affecting integrity or availability.
Advisories and references point to mitigation via a patch in WordPress plugin trac changeset 3228957, with related code visible in trunk/addons/files.php. Further details are available in Wordfence threat intelligence for vulnerability ID 997918b9-2ccd-413e-9df2-d24bc3820ba1.
Details
- CWE(s)