Cyber Posture

CVE-2024-13611

High

Published: 01 March 2025

Published
01 March 2025
Modified
26 May 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0021 42.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13611 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordplus Better Messages. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match
prevent

Directly limits public access to sensitive content like the /wp-content/uploads/bp-better-messages directory containing chat file attachments.

CM-7 Least Functionality good match
prevent

Enforces least functionality by configuring web servers to disable directory browsing and restrict access to non-essential upload paths.

AC-3 Access Enforcement good match
prevent

Enforces access control policies to block unauthenticated access to sensitive directories and files in the plugin's storage location.

NVD Description

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated…

more

attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.

Deeper analysisAI

CVE-2024-13611 is a sensitive information exposure vulnerability (CWE-200) in the Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress, affecting all versions up to and including 2.6.9. The flaw occurs via the 'bp-better-messages' directory, where sensitive data is stored insecurely in the /wp-content/uploads/bp-better-messages directory, which can contain file attachments included in chat messages.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, no privileges, and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation enables attackers to extract the sensitive data from the exposed directory, resulting in high confidentiality impact without affecting integrity or availability.

Advisories and references point to mitigation via a patch in WordPress plugin trac changeset 3228957, with related code visible in trunk/addons/files.php. Further details are available in Wordfence threat intelligence for vulnerability ID 997918b9-2ccd-413e-9df2-d24bc3820ba1.

Details

CWE(s)
CWE-200NVD-CWE-noinfo

Affected Products

wordplus
better messages
≤ 2.7.0

CVEs Like This One

CVE-2026-24870Shared CWE-200
CVE-2026-4020Shared CWE-200
CVE-2025-21620Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2024-13562Shared CWE-200
CVE-2024-57716Shared CWE-200
CVE-2026-27161Shared CWE-200
CVE-2026-21260Shared CWE-200
CVE-2025-24102Shared CWE-200
CVE-2024-12142Shared CWE-200

References