CVE-2024-13612 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Better Messages – Live Chat plugin for WordPress and its integrations with BuddyPress, PeepSo, Ultimate Member, and BuddyBoss. The vulnerability exists in all versions up to and including 2.6.9 due to improper neutralization of input during web page generation. Specifically, the plugin's 'better_messages_live_chat_button' shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who accesses the affected page, enabling attacks such as session hijacking, defacement, or unauthorized actions performed under the victim's credentials. The attack vector is remote over the network, with low complexity, requiring only contributor-level privileges and no user interaction for the payload to execute. The vulnerability impacts confidentiality and integrity but does not affect availability. Although no public exploits have been reported, the widespread use of WordPress and these popular plugins increases the risk of exploitation. The vulnerability was published on February 1, 2025, with a CVSS 3.1 base score of 6.4, indicating a medium severity level. The issue underscores the importance of proper input validation and output encoding in web applications, especially for plugins that handle user-generated content and dynamic page elements.

The impact of CVE-2024-13612 is significant for organizations using the Better Messages – Live Chat plugin and its integrations on WordPress sites. Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of session cookies, enabling attackers to impersonate users with elevated privileges, potentially leading to full site compromise. Attackers could also manipulate page content, redirect users to malicious sites, or perform unauthorized actions on behalf of victims. The confidentiality and integrity of user data and site content are at risk, while availability is not directly impacted. Given the plugin's integration with popular community and membership platforms (BuddyPress, PeepSo, Ultimate Member, BuddyBoss), the vulnerability could affect social networks, membership sites, and community forums, amplifying the potential damage. Organizations with contributor-level users who are not fully trusted face increased risk. The vulnerability's medium severity score reflects these risks but also the requirement for some level of authenticated access, which somewhat limits the attack surface compared to unauthenticated XSS.

To mitigate CVE-2024-13612, organizations should immediately update the Better Messages – Live Chat plugin to a patched version once available. Until a patch is released, administrators should restrict contributor-level permissions to trusted users only and audit existing contributors for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'better_messages_live_chat_button' shortcode parameters can provide temporary protection. Site owners should also enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of XSS attacks. Regularly scanning the site for injected scripts or anomalous shortcode usage can help detect exploitation attempts early. Additionally, reviewing and hardening user input validation and output encoding in custom plugin code or extensions is recommended. Monitoring logs for unusual contributor activity and educating users about the risks of XSS can further reduce exposure. Finally, consider disabling or limiting the use of the vulnerable shortcode if it is not essential to site functionality.