Description
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Script Injection
Action: Immediate Update
AI Analysis

Impact

The Better Messages – Live Chat plugin is vulnerable to stored cross‑site scripting through the guest display name field. This weakness, identified as CWE‑79, allows an unauthenticated attacker to store malicious scripts that are later executed in the browsers of any user who views a page containing the injected data. The impact is client‑side code execution which may lead to session hijacking, defacement, or phishing attacks against site visitors.

Affected Systems

The vulnerability affects the WordPress Better Messages – Live Chat, Chat Rooms, Real‑Time Messaging & Private Messages plugin provided by wordplus. All released versions up to and including 2.10.2 are impacted. Users of WordPress sites employing BuddyPress, PeepSo, Ultimate Member, or BuddyBoss that rely on this plugin must check the plugin version and ensure it is updated beyond 2.10.2.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity threat. The EPSS score of less than 1% reflects a low probability of real‑world exploitation given the current data, and the vulnerability is not listed in the CISA KEV catalog. Unauthenticated attackers can exploit the flaw by creating a guest user with a crafted display name; when any site visitor views a page that displays that name, the injected script runs. This attack requires no special privileges and can affect all visitors to the page.

Generated by OpenCVE AI on April 20, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Better Messages plugin to the latest version available, which removes the input sanitization flaw in guest display names.
  • If a patch is not yet available or an upgrade is not possible, disable or uninstall the plugin, or block guest users from submitting display names to prevent the stored script from being added.
  • Ensure that any remaining guest display names are manually reviewed and sanitized before being displayed, or configure the plugin to escape output of all user‑supplied fields.

Generated by OpenCVE AI on April 20, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordplus
Wordplus better Messages
Wordpress
Wordpress wordpress
Vendors & Products Wordplus
Wordplus better Messages
Wordpress
Wordpress wordpress

Wed, 17 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordplus Better Messages
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:23.481Z

Reserved: 2025-12-05T19:58:21.755Z

Link: CVE-2025-14154

cve-icon Vulnrichment

Updated: 2025-12-17T19:13:10.102Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T06:15:41.747

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses