CVE-2025-14154
📋 TL;DR
This stored XSS vulnerability in the Better Messages WordPress plugin allows unauthenticated attackers to inject malicious JavaScript via guest display names. The injected scripts execute whenever users view pages containing the malicious content, potentially compromising their accounts or browsers. All WordPress sites using this plugin up to version 2.10.2 are affected.
💻 Affected Systems
- Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, redirect users to malicious sites, or deploy malware to visitors' browsers.
Likely Case
Attackers will inject scripts to steal user session cookies, redirect users to phishing pages, or display malicious advertisements.
If Mitigated
With proper CSP headers and browser security features, script execution may be blocked, limiting impact to specific browser contexts.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill. The vulnerability is straightforward to weaponize for basic XSS attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.3
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3420771/bp-better-messages/trunk/inc/guests.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Better Messages' and click 'Update Now'. 4. Verify version shows 2.10.3 or higher.
🔧 Temporary Workarounds
Disable Guest Chat
allTemporarily disable guest chat functionality to prevent exploitation.
Navigate to Better Messages settings → General → Disable 'Allow Guests to send messages'
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy web application firewall (WAF) rules to block XSS payloads in guest names
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Better Messages. If version is 2.10.2 or lower, you are vulnerable.Check Version:
wp plugin list --name='bp-better-messages' --field=versionVerify Fix Applied:
After updating, verify version shows 2.10.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual guest display names containing script tags or JavaScript code
- Multiple guest accounts created in short timeframes
Network Indicators:
- HTTP requests with suspicious parameters in guest name fields
- Outbound connections to unknown domains from chat pages
SIEM Query:
source="wordpress" AND (message="*<script>*" OR message="*javascript:*") AND plugin="bp-better-messages"