CVE-2021-24809 – This CSRF vulnerability in the BP Better Messag... (How to Fix)

Q: What is the severity of CVE-2021-24809?

CVE-2021-24809 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in the BP Better Messages WordPress plugin allows attackers to trick logged-in users into performing unwanted actions in chat threads. Attackers can force users to leave/join chats, mute/unmute threads, or add/remove users without their consent. WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This CSRF vulnerability in the BP Better Messages WordPress plugin allows attackers to trick logged-in users into performing unwanted actions in chat threads. Attackers can force users to leave/join chats, mute/unmute threads, or add/remove users without their consent. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

BP Better Messages WordPress Plugin

Versions: All versions before 1.9.9.41

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with the plugin installed and activated. Users must be logged in to be targeted.

📦 What is this software?

Better Messages by Wordplus

View all CVEs affecting Better Messages →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate chat memberships, disrupt communications, or force users out of important conversations, potentially causing operational disruption or social engineering attacks.

🟠

Likely Case

Attackers trick users into leaving chats they want to stay in or joining unwanted chats, causing minor disruption to communication flows.

🟢

If Mitigated

With proper CSRF protections, no unauthorized actions can be performed through these AJAX endpoints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking a logged-in user into visiting a malicious page. No authentication bypass needed beyond the victim being logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.9.41

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BP Better Messages' and click 'Update Now'. 4. Verify version is 1.9.9.41 or later.

🔧 Temporary Workarounds

Disable Plugin

linux

Temporarily disable the BP Better Messages plugin until patched

wp plugin deactivate bp-better-messages

Add CSRF Protection

all

Add custom CSRF tokens to the vulnerable AJAX endpoints via custom code

🧯 If You Can't Patch

Implement WAF rules to block requests to vulnerable AJAX endpoints without proper referrer headers
Educate users about phishing risks and advise them to log out when not actively using the site

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 1.9.9.41, you are vulnerable.

Check Version:

wp plugin get bp-better-messages --field=version

Verify Fix Applied:

After updating, verify version shows 1.9.9.41 or higher in WordPress admin. Test AJAX endpoints with missing CSRF tokens to confirm they now return errors.

📡 Detection & Monitoring

Log Indicators:

Multiple AJAX requests to bp_better_messages_* endpoints without referrer headers or with external referrers
Users reporting unexpected chat membership changes

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action parameters matching vulnerable endpoints coming from unexpected sources

SIEM Query:

source="wordpress.log" AND (action="bp_better_messages_leave_chat" OR action="bp_better_messages_join_chat" OR action="bp_messages_leave_thread" OR action="bp_messages_mute_thread" OR action="bp_messages_unmute_thread" OR action="bp_better_messages_add_user_to_thread" OR action="bp_better_messages_exclude_user_from_thread")

📊 Metadata

CVE ID: CVE-2021-24809

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: November 1, 2021

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php Patch,Third Party Advisory
https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php Patch,Third Party Advisory
https://wpscan.com/vulnerability/e186fef4-dca0-461f-b539-082c13a68d13 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24809, you might also want to check these: