Cyber Resilience

CVE-2024-13611

High

Published: 01 March 2025

Published
01 March 2025
Modified
26 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0021 42.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13611 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordplus Better Messages. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-13611 is a sensitive information exposure vulnerability (CWE-200) in the Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress, affecting all versions up to and including 2.6.9. The flaw occurs via the 'bp-better-messages' directory, where sensitive data is stored insecurely in the /wp-content/uploads/bp-better-messages directory, which can contain file attachments included in chat messages.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, no privileges, and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation enables attackers to extract the sensitive data from the exposed directory, resulting in high confidentiality impact without affecting integrity or availability.

Advisories and references point to mitigation via a patch in WordPress plugin trac changeset 3228957, with related code visible in trunk/addons/files.php. Further details are available in Wordfence threat intelligence for vulnerability ID 997918b9-2ccd-413e-9df2-d24bc3820ba1.

EU & UK References

Vulnerability details

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated…

more

attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Public-facing WordPress plugin vuln directly enables remote unauthenticated file access and data extraction from exposed local directory.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22973Shared CWE-200
CVE-2024-43707Shared CWE-200
CVE-2024-13606Shared CWE-200
CVE-2024-13622Shared CWE-200
CVE-2024-13600Shared CWE-200
CVE-2024-55272Shared CWE-200
CVE-2025-26167Shared CWE-200
CVE-2024-13568Shared CWE-200
CVE-2024-13638Shared CWE-200
CVE-2025-24253Shared CWE-200

Affected Assets

wordplus
better messages
≤ 2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly limits public access to sensitive content like the /wp-content/uploads/bp-better-messages directory containing chat file attachments.

prevent

Enforces least functionality by configuring web servers to disable directory browsing and restrict access to non-essential upload paths.

prevent

Enforces access control policies to block unauthenticated access to sensitive directories and files in the plugin's storage location.

References