CVE-2021-24914

Name of the Vulnerable Software and Affected Versions: Tawk.To Live Chat WordPress plugin versions prior to 0.6.0

Description: The issue concerns the lack of capability and CSRF checks in the tawkto setwidget and tawkto removewidget AJAX actions, which are available to any authenticated user. This allows low-privileged users, including simple subscribers, to change the tawkto-embed-widget-page-id and tawkto-embed-widget-widget-id parameters, effectively linking the vulnerable website to their own Tawk.to instance. As a result, they can monitor the website, interact with its visitors by receiving and answering contact messages, and display an arbitrary Knowledge Base. Additionally, the tawkto removewidget action can remove the live chat widget from pages.

Recommendations: For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the tawkto setwidget and tawkto removewidget AJAX actions to prevent unauthorized changes. Additionally, restrict the ability to change the tawkto-embed-widget-page-id and tawkto-embed-widget-widget-id parameters to only trusted users.