CVE-2025-43839

Vulnerability

Overview CVE-2025-43839 describes a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin BP Messages Tool (bp-messages-tool), affecting versions through 2.2. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary scripts into a response[1].

Exploitation and

Attack Surface Exploitation requires a privileged user (such as an administrator) to perform an action—like clicking a crafted link or visiting a malicious page—that triggers the vulnerable reflection point. No authentication is needed to craft the initial payload, but successful execution depends on an authenticated user interacting with the crafted request[1].

Impact

A successful attack can result in script execution within the victim's browser session, potentially leading to malicious redirects, unwanted advertisements, or other HTML payloads. This could compromise the integrity of the site for visitors and may be leveraged in mass-exploit campaigns[1].

Mitigation

Patchstack has released a mitigation rule to block attacks. The primary remediation is to update the plugin to version 2.5 or later. Users unable to update immediately should contact their hosting provider or web developer for assistance[1].