Security Alert Summary
The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability via the guest display name. Insufficient input sanitization and output escaping allow an unauthenticated attacker to inject web scripts that execute when a user views an affected page.
CVE Details
- CVE ID:
CVE-2025-14154 - Affected component: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress (guest display name handling)
- Affected versions: All versions up to and including 2.10.2 (as stated in the CVE entry)
- Published: December 17, 2025 at 6:15:41 AM UTC
- Last modified: December 17, 2025 at 6:15:41 AM UTC
- CVSS v3.1: Base Score 6.1, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Authentication / Privileges / User Interaction: Unauthenticated (Privileges Required: None), User Interaction: Required
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- Weakness (CWE): CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue stemming from insufficient input sanitization and output escaping of the guest display name. According to the CVE description and provided references, guest-facing code that renders the guest display name can be injected with arbitrary web scripts. The references include a path to inc/guests.php, indicating the guest-handling code is involved in the vulnerable output path.
An unauthenticated attacker can submit a crafted guest display name containing script payloads. Because the plugin fails to properly sanitize or escape that input before rendering, the payload is stored and later executed in the browser context of any user who views the injected page. The CVSS vector notes that user interaction is required (a user must view the affected content) and that the scope is changed, meaning the effect can cross component boundaries within the application context as defined by CVSS.
How This Could Impact Your Website
In a realistic scenario, an external visitor or unauthenticated actor could post a malicious guest display name. When internal staff, contributors, or site administrators view the page or message list that renders that guest name, the injected script can run in their browser. Practical consequences consistent with the CVSS impacts include limited disclosure of data visible in the same page context (for example, profile fields rendered on the page) and modification of content presented to the user. Because integrity impact is listed as low, the vulnerability is unlikely to allow full site takeover on its own, but it can be used to conduct targeted actions like session token theft from users who view the injected content or to present misleading content.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (the CVE notes affected versions through 2.10.2).
- Review and reduce unnecessary user roles, especially contributor-level accounts and any accounts that can post content visible to other users.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior or unexpected content submissions that could indicate attempted XSS injections.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.