CVE-2025-14154 is a stored cross-site scripting vulnerability identified in the Better Messages – Live Chat plugin used across multiple WordPress-related platforms including BuddyPress, PeepSo, Ultimate Member, and BuddyBoss. The vulnerability exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of guest display names. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code into chat pages. When other users access these pages, the malicious scripts execute in their browsers, potentially enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability affects all versions up to and including 2.10.2. The CVSS 3.1 base score is 6.1, reflecting medium severity, with attack vector network-based, low attack complexity, no privileges required, but user interaction needed. The scope is changed because the vulnerability impacts user confidentiality and integrity but not availability. No public exploits have been reported yet, but the widespread use of the plugin and the ease of exploitation make it a significant risk. The vulnerability is categorized under CWE-79, a common and well-understood class of web application security flaws. Due to the nature of stored XSS, the impact can be persistent and affect multiple users over time. The plugin's integration with popular community and membership platforms increases the potential attack surface and the value of compromised accounts.

The vulnerability can lead to unauthorized script execution in the context of affected users' browsers, compromising confidentiality and integrity of user data. Attackers can hijack user sessions, steal sensitive information such as cookies or tokens, perform unauthorized actions on behalf of users, or deliver further malware payloads. This can erode user trust, lead to account compromise, and potentially facilitate lateral movement within affected websites. Since the vulnerability is exploitable by unauthenticated attackers and requires only that a user views the injected content, the risk is elevated in environments with high guest or user interaction. Organizations relying on the affected plugin for live chat and community engagement face reputational damage, potential data breaches, and regulatory compliance issues if user data is exposed. The absence of availability impact limits direct service disruption, but the indirect consequences of compromised user accounts and data leakage can be severe. The widespread deployment of WordPress and associated plugins globally means the potential scale of impact is large, especially for sites with active user communities.

1. Immediately update the Better Messages – Live Chat plugin to a patched version once available from the vendor. 2. Until a patch is released, implement strict input validation and sanitization on guest display names, ensuring all user-supplied data is properly escaped before rendering in HTML contexts. 3. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of injected code. 4. Limit guest user capabilities to prevent arbitrary input or restrict guest access to chat features where feasible. 5. Monitor logs and user inputs for suspicious script patterns or injection attempts. 6. Educate site administrators and users about the risks of XSS and encourage cautious interaction with chat content. 7. Use web application firewalls (WAFs) with rules targeting common XSS payloads to block exploitation attempts. 8. Regularly audit and test the plugin and website for similar input validation flaws. 9. Implement HTTP-only and secure flags on cookies to reduce session hijacking risks. 10. Consider sandboxing or isolating chat content in iframes with restrictive permissions to limit script impact.