CVE-2024-13697: 
WordPress vulnerability analysis and mitigation

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 2.7.4. The vulnerability was discovered and reported by Wordfence, with a CVE identifier of CVE-2024-13697 published on March 1, 2025 (NVD).

The vulnerability exists in the 'nice_links' functionality and has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). Successful exploitation requires the 'Enable link previews' feature to be enabled, which is the default configuration (Wordfence).

When exploited, this vulnerability allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. This can be leveraged to query and modify information from internal services (NVD).

A fix has been implemented and is available in the WordPress plugin repository (WordPress). Users are advised to update to a version newer than 2.7.4 or disable the link previews feature if immediate updating is not possible.