Cross-Site Request Forgery (CSRF) vulnerability (at bp_messages_favorite) discovered by Vlad Vector (Patchstack) in WordPress Better Messages plugin (versions <= 1.9.9.148).
Update the WordPress BP Better Messages plugin to the latest available version (at least 1.9.9.149).