CVE-2021-24914 Detail
Current Description
The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the ‘tawkto-embed-widget-page-id’ and ‘tawkto-embed-widget-widget-id’ parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, …). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.
Analysis Description
The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the ‘tawkto-embed-widget-page-id’ and ‘tawkto-embed-widget-widget-id’ parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, …). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.
Severity
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-862 | Missing Authorization | WPScan |
Change History
1 change records found show changes
Initial Analysis 12/06/2021 4:08:00 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration |
OR
*cpe:2.3:a:tawk:tawk.to_live_chat:*:*:*:*:*:wordpress:*:* versions up to (excluding) 0.6.0
|
|
| Added | CVSS V2 |
NIST (AV:N/AC:M/Au:S/C:P/I:P/A:P) |
|
| Added | CVSS V2 Metadata |
Victim must voluntarily interact with attack mechanism |
|
| Added | CVSS V3.1 |
NIST AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| Changed | Reference Type |
https://wpscan.com/vulnerability/39392055-8cd3-452f-8bcb-a650f5bddc2e No Types Assigned |
https://wpscan.com/vulnerability/39392055-8cd3-452f-8bcb-a650f5bddc2e Exploit, Third Party Advisory |
Quick Info
CVE Dictionary Entry:
CVE-2021-24914
NVD Published Date:
12/06/2021
NVD Last Modified:
12/06/2021
Source:
WPScan