CVE-2024-13697 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks via the 'nice_links' feature in the Better Messages WordPress plugin. Attackers can make arbitrary web requests from the vulnerable server, potentially accessing internal services and sensitive information. All WordPress sites using this plugin up to version 2.7.4 with 'Enable link previews' enabled (default setting) are affected.

💻 Affected Systems

Products:

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Versions: All versions up to and including 2.7.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires 'Enable link previews' feature to be enabled, which is the default setting.

📦 What is this software?

Better Messages by Wordplus

View all CVEs affecting Better Messages →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data from internal networks, perform port scanning, or interact with cloud metadata services to gain further access.

🟠

Likely Case

Attackers scanning internal networks, accessing internal web applications, or retrieving sensitive information from services that shouldn't be publicly accessible.

🟢

If Mitigated

Limited to internal network reconnaissance with no critical data exposure if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and this one requires no authentication with default settings enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3243180/bp-better-messages

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Better Messages' plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 2.7.5+ from WordPress repository and manually update

🔧 Temporary Workarounds

Disable Link Previews

all

Disable the vulnerable 'Enable link previews' feature in plugin settings

Temporary Plugin Deactivation

linux

Deactivate the plugin until patched

wp plugin deactivate bp-better-messages

🧯 If You Can't Patch

Implement network segmentation to restrict plugin server's access to internal services
Deploy web application firewall (WAF) rules to block SSRF patterns and restrict outbound requests

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'Better Messages' version 2.7.4 or lower

Check Version:

wp plugin get bp-better-messages --field=version

Verify Fix Applied:

Verify plugin version is 2.7.5 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from WordPress server to internal IP ranges
Requests to metadata services (169.254.169.254, etc.)
Multiple failed requests to internal services

Network Indicators:

WordPress server making unexpected HTTP requests to internal network segments
Requests to cloud provider metadata endpoints

SIEM Query:

source="wordpress-logs" AND (dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254) OR uri CONTAINS "nice_links")

📊 Metadata

CVE ID: CVE-2024-13697

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-918

EPSS Score: 0.28% exploit probability (50.9th percentile)

Published: March 1, 2025

Last Updated: May 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13697, you might also want to check these: