CVE-2024-13697 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Better Messages – Live Chat plugin for WordPress and its integrations with BuddyPress, PeepSo, Ultimate Member, and BuddyBoss platforms. The vulnerability resides in the 'nice_links' functionality, which processes URLs to generate link previews when the 'Enable link previews' feature is active (enabled by default). An unauthenticated attacker can exploit this flaw by crafting malicious requests that cause the server to initiate HTTP requests to arbitrary internal or external locations. This can lead to unauthorized querying or modification of internal services that are otherwise inaccessible externally, potentially exposing sensitive information or enabling further attacks within the internal network. The vulnerability affects all plugin versions up to and including 2.7.4. The CVSS 3.1 base score of 4.8 reflects a medium severity rating, with the vector indicating network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and low impacts on confidentiality and integrity, with no impact on availability. No public exploits or active exploitation have been reported yet. The vulnerability was published on March 1, 2025, and was reserved on January 23, 2025. No official patches have been linked at this time, so mitigation relies on configuration changes or monitoring until updates are released.

The SSRF vulnerability allows attackers to leverage the web server hosting the vulnerable plugin to send crafted requests to internal or external systems, potentially bypassing network access controls. This can lead to unauthorized access to internal services, such as databases, metadata services in cloud environments, or administrative interfaces not exposed externally. Although the CVSS score indicates medium severity, the impact on confidentiality and integrity can be significant depending on the internal network architecture and the sensitivity of accessible services. Attackers could use this vector to gather internal information, perform reconnaissance, or pivot to other attacks. The lack of authentication requirement increases the risk, as any unauthenticated user can attempt exploitation. However, the high attack complexity and requirement for the 'Enable link previews' feature to be active limit the ease of exploitation. Organizations running affected versions of the plugin on public-facing WordPress sites are at risk, especially those with sensitive internal services accessible from the web server. The vulnerability does not impact availability directly but can facilitate further attacks that might.

Until an official patch is released, organizations should immediately disable the 'Enable link previews' feature in the Better Messages plugin settings to prevent SSRF exploitation. Administrators should audit and restrict outbound HTTP requests from the web server hosting the plugin, using firewall rules or web application firewalls (WAFs) to limit requests to trusted destinations only. Monitoring web server logs for unusual outbound requests or spikes in traffic to internal IP ranges can help detect exploitation attempts. It is also recommended to update the plugin promptly once a security patch is available. Additionally, internal services should be segmented and protected with strong access controls to minimize the impact of SSRF attacks. Employing network-level protections such as egress filtering and implementing least privilege principles for server processes can further reduce risk. Regular vulnerability scanning and penetration testing focusing on SSRF vectors in web applications can help identify similar issues proactively.