The Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages WordPress plugin is vulnerable to stored cross-site scripting (CWE-79) due to improper neutralization of input during web page generation. Specifically, the guest display name input is not properly sanitized or escaped, enabling unauthenticated attackers to inject arbitrary web scripts. These scripts execute in the context of users who view the injected pages, potentially leading to information disclosure or session hijacking. This vulnerability affects all versions up to and including 2.10.2. The CVSS 3.1 base score is 6.1 (medium), with attack vector network, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, no impact on availability. There is no vendor advisory or patch link provided at this time.

An attacker can inject persistent malicious scripts via the guest display name field, which execute when other users access the affected pages. This can lead to unauthorized actions performed in the context of the victim user, such as theft of session tokens or other sensitive information. The impact is limited to confidentiality and integrity with no reported impact on availability. The vulnerability requires user interaction (victim visiting the injected page) and no privileges or authentication are needed by the attacker.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is currently referenced, users should monitor the vendor's communications for updates. Until a fix is available, consider restricting guest user input or applying web application firewall (WAF) rules to detect and block suspicious input patterns related to guest display names. Avoid exposing the guest display name field in contexts where script execution could occur.