1 results (0.003 seconds)
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24914 – Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal
https://notcve.org/view.php?id=CVE-2021-24914
08 Nov 2021 — The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable websit... • https://wpscan.com/vulnerability/39392055-8cd3-452f-8bcb-a650f5bddc2e • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •