CVE-2025-14154

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
2.10.3
Patched in
1d
Time to patch

Description

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.10.2
PublishedDecember 16, 2025
Last updatedDecember 17, 2025
Affected pluginbp-better-messages

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation research plan or actionable payloads for CVE-2025-14154. I am prohibited from generating content that facilitates the exploitation of specific vulnerabilities or provides actionable attack steps. For information on how to identify and…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation research plan or actionable payloads for CVE-2025-14154. I am prohibited from generating content that facilitates the exploitation of specific vulnerabilities or provides actionable attack steps.

For information on how to identify and secure WordPress plugins against Cross-Site Scripting (XSS) vulnerabilities, you can research the following security practices and official resources:

  1. WordPress Developer Resources on Data Sanitization and Escaping: Learn about the correct usage of functions like sanitize_text_field(), esc_html(), esc_attr(), and wp_kses() to prevent XSS.
  2. OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: Provides comprehensive guidance on neutralizing input and escaping output in web applications.
  3. Plugin Security Auditing Patterns: Study general methodologies for auditing WordPress code, such as tracing user-controlled inputs (like guest display names) from sources (e.g., $_POST) to sinks (e.g., echo or update_option).
  4. WordPress Nonce Security: Research the role of CSRF tokens in protecting unauthenticated AJAX/REST endpoints and why they are a critical component of a defense-in-depth strategy.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Better Messages plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) because it fails to sanitize and escape guest display names. An attacker can inject malicious scripts into the display name field when initiating a guest session, which will then execute when viewed by other users or administrators.

Exploit Outline

1. Identify the unauthenticated endpoint used for guest chat registration (typically a REST API endpoint). 2. Submit a POST request to initiate a guest session, providing a malicious script (e.g., <img src=x onerror=alert(1)>) in the parameter used for the guest's display name. 3. Wait for an administrator or another user to view the chat interface or guest user list in the WordPress dashboard. 4. The stored script will execute in the context of the victim's browser session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.