CVE-2024-13697

Name of the Vulnerable Software and Affected Versions The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress versions up to, and including, 2.7.4

Description The issue allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services. This is possible due to Server-Side Request Forgery via the nice links feature. Successful exploitation requires the "Enable link previews" option to be enabled, which is the default setting.

Recommendations For versions up to, and including, 2.7.4, consider disabling the "Enable link previews" option as a temporary workaround to minimize the risk of exploitation. Additionally, disabling or restricting the use of the nice links feature can help mitigate the issue until a patch is available.