CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57026
https://notcve.org/view.php?id=CVE-2024-57026
24 Feb 2025 — TawkTo Widget Version <= 1.3.7 is vulnerable to Cross Site Scripting (XSS) due to processing user input in a way that allows JavaScript execution. • https://cosmosofcyberspace.github.io/tawk_to_cve.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24914 – Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal
https://notcve.org/view.php?id=CVE-2021-24914
08 Nov 2021 — The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable websit... • https://wpscan.com/vulnerability/39392055-8cd3-452f-8bcb-a650f5bddc2e • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •