CVE-2024-13611: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in wordplus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
CVE-2024-13611 is a high-severity vulnerability in the Better Messages – Live Chat plugin for WordPress and related platforms that allows unauthenticated attackers to access sensitive information. The flaw exists in all versions up to 2. 6. 9, where sensitive files stored in the /wp-content/uploads/bp-better-messages directory are exposed without proper access controls. Attackers can retrieve file attachments included in chat messages, leading to confidentiality breaches. No authentication or user interaction is required, and the vulnerability can be exploited remotely over the network. While no known exploits are currently reported in the wild, the ease of exploitation and the sensitive nature of exposed data make this a significant risk. Organizations using this plugin should prioritize patching or mitigating access to the affected directory to prevent unauthorized data disclosure. This vulnerability primarily affects WordPress sites using the Better Messages plugin, which is popular in communities using BuddyPress, PeepSo, Ultimate Member, and BuddyBoss. Countries with large WordPress user bases and active online communities are at higher risk.
AI Analysis
Technical Summary
CVE-2024-13611 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Better Messages – Live Chat plugin for WordPress and associated platforms such as BuddyPress, PeepSo, Ultimate Member, and BuddyBoss. The vulnerability exists in all versions up to and including 2.6.9. It arises because sensitive files, specifically file attachments included in chat messages, are stored insecurely in the /wp-content/uploads/bp-better-messages directory without proper access restrictions. This misconfiguration allows unauthenticated attackers to directly access and download these files via HTTP requests. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The exposed data can include private chat attachments, potentially containing sensitive personal or organizational information, leading to confidentiality breaches. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation and the high impact on confidentiality, while integrity and availability remain unaffected. No known exploits have been reported in the wild yet, but the vulnerability is publicly disclosed and documented by Wordfence and the CVE database. The issue stems from improper file access controls and directory permissions within the plugin’s file storage mechanism. This vulnerability highlights the importance of secure file handling and access control in WordPress plugins that manage user-generated content and private communications.
Potential Impact
The primary impact of CVE-2024-13611 is the unauthorized disclosure of sensitive information stored as file attachments in chat messages. Organizations using the affected plugin risk exposing private communications, personal data, or confidential business information to attackers without any authentication barrier. This can lead to privacy violations, regulatory compliance issues (such as GDPR or HIPAA breaches), reputational damage, and potential legal consequences. Since the vulnerability allows remote and unauthenticated access, attackers can easily harvest sensitive files at scale, potentially targeting high-value organizations or communities. The exposure of sensitive attachments may also facilitate further attacks, such as social engineering or spear-phishing, by providing attackers with detailed personal or organizational context. The vulnerability does not affect system integrity or availability directly but significantly compromises confidentiality. Given the widespread use of WordPress and the popularity of the Better Messages plugin in community and membership sites, the scope of affected systems is substantial. Organizations relying on these platforms for internal or external communications are particularly vulnerable.
Mitigation Recommendations
1. Immediate mitigation involves restricting public access to the /wp-content/uploads/bp-better-messages directory via web server configuration (e.g., using .htaccess rules for Apache or equivalent for NGINX) to prevent unauthenticated HTTP access to stored files. 2. Upgrade the Better Messages plugin to a patched version once released by the vendor that enforces proper access controls and authentication checks on file retrieval. 3. Implement additional access control mechanisms at the application level to ensure only authorized users can access chat attachments. 4. Regularly audit file storage permissions and plugin configurations to detect and remediate insecure settings. 5. Monitor web server logs for suspicious access attempts to the bp-better-messages directory to identify potential exploitation. 6. Educate site administrators about the risks of insecure file storage and the importance of timely plugin updates. 7. Consider isolating sensitive file storage locations outside of publicly accessible directories or using token-based access controls. 8. Employ web application firewalls (WAFs) to detect and block unauthorized attempts to access sensitive plugin directories. These steps go beyond generic advice by focusing on immediate access restrictions and architectural changes to file storage.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, India, Brazil, Netherlands, Japan, South Africa, Italy
CVE-2024-13611: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in wordplus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Description
CVE-2024-13611 is a high-severity vulnerability in the Better Messages – Live Chat plugin for WordPress and related platforms that allows unauthenticated attackers to access sensitive information. The flaw exists in all versions up to 2. 6. 9, where sensitive files stored in the /wp-content/uploads/bp-better-messages directory are exposed without proper access controls. Attackers can retrieve file attachments included in chat messages, leading to confidentiality breaches. No authentication or user interaction is required, and the vulnerability can be exploited remotely over the network. While no known exploits are currently reported in the wild, the ease of exploitation and the sensitive nature of exposed data make this a significant risk. Organizations using this plugin should prioritize patching or mitigating access to the affected directory to prevent unauthorized data disclosure. This vulnerability primarily affects WordPress sites using the Better Messages plugin, which is popular in communities using BuddyPress, PeepSo, Ultimate Member, and BuddyBoss. Countries with large WordPress user bases and active online communities are at higher risk.
AI-Powered Analysis
Technical Analysis
CVE-2024-13611 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Better Messages – Live Chat plugin for WordPress and associated platforms such as BuddyPress, PeepSo, Ultimate Member, and BuddyBoss. The vulnerability exists in all versions up to and including 2.6.9. It arises because sensitive files, specifically file attachments included in chat messages, are stored insecurely in the /wp-content/uploads/bp-better-messages directory without proper access restrictions. This misconfiguration allows unauthenticated attackers to directly access and download these files via HTTP requests. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The exposed data can include private chat attachments, potentially containing sensitive personal or organizational information, leading to confidentiality breaches. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation and the high impact on confidentiality, while integrity and availability remain unaffected. No known exploits have been reported in the wild yet, but the vulnerability is publicly disclosed and documented by Wordfence and the CVE database. The issue stems from improper file access controls and directory permissions within the plugin’s file storage mechanism. This vulnerability highlights the importance of secure file handling and access control in WordPress plugins that manage user-generated content and private communications.
Potential Impact
The primary impact of CVE-2024-13611 is the unauthorized disclosure of sensitive information stored as file attachments in chat messages. Organizations using the affected plugin risk exposing private communications, personal data, or confidential business information to attackers without any authentication barrier. This can lead to privacy violations, regulatory compliance issues (such as GDPR or HIPAA breaches), reputational damage, and potential legal consequences. Since the vulnerability allows remote and unauthenticated access, attackers can easily harvest sensitive files at scale, potentially targeting high-value organizations or communities. The exposure of sensitive attachments may also facilitate further attacks, such as social engineering or spear-phishing, by providing attackers with detailed personal or organizational context. The vulnerability does not affect system integrity or availability directly but significantly compromises confidentiality. Given the widespread use of WordPress and the popularity of the Better Messages plugin in community and membership sites, the scope of affected systems is substantial. Organizations relying on these platforms for internal or external communications are particularly vulnerable.
Mitigation Recommendations
1. Immediate mitigation involves restricting public access to the /wp-content/uploads/bp-better-messages directory via web server configuration (e.g., using .htaccess rules for Apache or equivalent for NGINX) to prevent unauthenticated HTTP access to stored files. 2. Upgrade the Better Messages plugin to a patched version once released by the vendor that enforces proper access controls and authentication checks on file retrieval. 3. Implement additional access control mechanisms at the application level to ensure only authorized users can access chat attachments. 4. Regularly audit file storage permissions and plugin configurations to detect and remediate insecure settings. 5. Monitor web server logs for suspicious access attempts to the bp-better-messages directory to identify potential exploitation. 6. Educate site administrators about the risks of insecure file storage and the importance of timely plugin updates. 7. Consider isolating sensitive file storage locations outside of publicly accessible directories or using token-based access controls. 8. Employ web application firewalls (WAFs) to detect and block unauthorized attempts to access sensitive plugin directories. These steps go beyond generic advice by focusing on immediate access restrictions and architectural changes to file storage.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-21T23:49:54.015Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e64b7ef31ef0b59fcc5
Added to database: 2/25/2026, 9:49:24 PM
Last enriched: 2/25/2026, 11:11:52 PM
Last updated: 2/26/2026, 6:48:43 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.