CVE-2021-24809

HIGH

BP Better Messages <1.9.9.41 - CSRF

Title source: llm

Description

The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions

Exploits (1)

github NO CODE 2 stars
by tomorroisnew · poc
https://github.com/tomorroisnew/CVE/tree/main/CVE-2021-24809

References (2)

Scores

CVSS v3 8.8
EPSS 0.0030
EPSS Percentile 53.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
wordplus/better_messages < 1.9.9.41
Published Nov 01, 2021
Tracked Since Feb 18, 2026