CVE-2021-24809: 
WordPress vulnerability analysis and mitigation

The CVE-2021-24809 vulnerability affects the BP Better Messages WordPress plugin versions before 1.9.9.41. This security flaw was discovered by Brandon Roldan and publicly disclosed on October 4, 2021. The vulnerability is related to multiple Cross-Site Request Forgery (CSRF) issues in various AJAX actions of the plugin (WPScan).

The vulnerability stems from the lack of CSRF protection in multiple AJAX actions including bpbettermessagesleavechat, bpbettermessagesjoinchat, bpmessagesleavethread, bpmessagesmutethread, bpmessagesunmutethread, bpbettermessagesaddusertothread, and bpbettermessagesexcludeuserfrom_thread. The vulnerability has been classified as CWE-352 and received a CVSS score of 5.4 (medium severity). It falls under the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan).

The vulnerability could allow attackers to make logged-in users perform unwanted actions within the BP Better Messages plugin without their consent. This could potentially lead to unauthorized message operations, including leaving or joining chats, muting or unmuting threads, and managing user participation in message threads (WPScan).

The vulnerability has been fixed in version 1.9.9.41 of the BP Better Messages plugin. Users are advised to update to this version or later to protect against potential CSRF attacks. The fix can be verified in the WordPress plugin repository changelog (WordPress Plugin).