BP Better Messages <= 1.9.9.37 is vulnerable to Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated

Published
2021-10-03

The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

CVE

https://www.cve.org/CVERecord?id=CVE-2021-24808

CVSS

Score:6.1

Severity:Medium

Version: 1.9.9.37

There is a patch available in v1.9.9.41 and we strongly recommend you update to this version as soon as possible.