CVE-2025-14154 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that affects the Better Messages – Live Chat plugin for WordPress and its integrations with BuddyPress, PeepSo, Ultimate Member, and BuddyBoss. The vulnerability stems from insufficient sanitization and escaping of the guest display name input field, which is stored and later rendered on chat pages without proper neutralization. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code that executes in the context of any user who views the infected chat page. Because the malicious payload is stored, the attack can persist and affect multiple users over time. The vulnerability affects all plugin versions up to 2.10.2. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector (no physical or local access needed), low attack complexity, no privileges required, but requiring user interaction (viewing the page). The scope is changed (S:C) because the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting user sessions and data confidentiality. While no known exploits have been reported in the wild, the widespread use of WordPress and these popular plugins increases the risk of exploitation. Attackers could leverage this vulnerability to steal session cookies, perform actions on behalf of users, or deliver further malware payloads. The vulnerability does not impact availability but compromises confidentiality and integrity of user data and sessions.

For European organizations, the impact of this vulnerability can be significant, especially for those operating public-facing websites with active user communities relying on the Better Messages plugin or its integrations. Exploitation could lead to unauthorized access to user accounts, theft of sensitive information such as session tokens or personal data, and potential reputational damage due to compromised user trust. Organizations in sectors like e-commerce, education, social networking, and customer support that use these chat platforms may face increased risk of targeted attacks. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting user data; a successful exploit could lead to compliance violations and financial penalties. The persistent nature of stored XSS means that multiple users can be affected over time, increasing the scope of impact. Although no availability impact is expected, the confidentiality and integrity breaches can disrupt normal business operations and user interactions.

To mitigate this vulnerability, organizations should immediately update the Better Messages plugin and all related integrations to the latest patched version once available. Until a patch is released, administrators should consider disabling guest display name functionality or restricting guest access to chat features to prevent unauthenticated input. Implementing Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the guest display name field can provide temporary protection. Conduct thorough input validation and output encoding on all user-supplied data, especially in chat modules. Regularly audit and monitor logs for suspicious activity or injection attempts. Educate users about the risks of clicking on untrusted links or interacting with unknown chat messages. Additionally, employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Finally, ensure that all WordPress installations and plugins follow secure coding practices and are kept up to date to reduce exposure to similar vulnerabilities.