CVE-2021-24809

Name of the Vulnerable Software and Affected Versions: BP Better Messages WordPress plugin versions prior to 1.9.9.41

Description: The issue concerns the lack of CSRF checks in multiple AJAX actions within the plugin. Specifically, the affected actions include bp better messages leave chat, bp better messages join chat, bp messages leave thread, bp messages mute thread, bp messages unmute thread, bp better messages add user to thread, and bp better messages exclude user from thread. This could allow attackers to make logged-in users perform unwanted actions.

Recommendations: For versions prior to 1.9.9.41, update to version 1.9.9.41 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable AJAX actions until a patch is applied.