WordPress Plugin Vulnerabilities

Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal

Description

The plugin does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.

Proof of Concept

Affects Plugins

Plugin icon
tawkto-live-chat
Fixed in 0.6.0

References

CVE
CVE-2021-24914

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.6 (high)

Miscellaneous

Original Researcher
Quentin VILLAIN (3wsec)
Submitter
Quentin VILLAIN (3wsec)
Submitter website
https://3wsec.fr
Verified
Yes
WPVDB ID
39392055-8cd3-452f-8bcb-a650f5bddc2e

Timeline

Publicly Published
2021-11-08 (about 4 years ago)
Added
2021-11-08 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2024-03-28
Title
Social Icons Widget & Block by WPZOOM < 4.2.16 - Missing Authorization
Published
2024-08-14
Title
SmartSearchWP <= 2.4.4 - Unauthenticated Log Purge
Published
2025-09-14
Title
WPLMS < 1.9.9.8 - Missing Authorization
Published
2023-08-24
Title
Category Slider for WooCommerce < 1.4.16 - Missing Authorization via notice dismissal functionality
Published
2023-11-15
Title
WPCafe < 2.2.23 - Missing Authorization