Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16.
AnalysisAI
Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.
Technical ContextAI
BP Better Messages is a private messaging plugin for WordPress, typically deployed alongside BuddyPress/BuddyBoss community sites to provide real-time chat and direct messages. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), commonly described as an Insecure Direct Object Reference: the application accepts an object key (such as a thread, conversation, or message ID) supplied by the client and uses it to retrieve data without verifying that the requesting user is actually authorized to access that object. Because messaging plugins store conversation contents keyed by sequential or guessable identifiers, a missing or misconfigured access-control check on those keys exposes other users' private message threads. Patchstack's advisory classifies this specifically as an IDOR affecting access-control security levels in the bp-better-messages codebase.
RemediationAI
No vendor-released patch version is identified in the supplied data, so the immediate action is to consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bp-better-messages/vulnerability/wordpress-bp-better-messages-plugin-2-14-16-insecure-direct-object-references-idor-vulnerability) for the latest fixed release and upgrade to any version above 2.14.16 once published; do not assume a specific fixed version that is not confirmed. As compensating controls until a patched release is applied: restrict or disable the BP Better Messages messaging endpoints for unauthenticated/anonymous users (e.g., require login to reach message threads), which reduces exposure but breaks any intended guest-messaging feature; deploy a WAF or virtual-patching rule (Patchstack offers virtual patching for this entry) to block requests that tamper with thread/message ID parameters, accepting potential false positives on legitimate ID changes; and if the plugin is non-essential, deactivate it entirely, accepting loss of private messaging functionality. Audit access logs for anomalous enumeration of message/thread identifiers to detect prior abuse.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32188
GHSA-64vw-m4rv-f6rj