How severe is CVE-2021-24914?

This vulnerability has a severity rating of HIGH with a CVSS score of 8 out of 10.

What type of vulnerability is CVE-2021-24914?

This is classified as CWE-862, which is a common weakness in software security.

CVE-2021-24914 - HIGH Severity | CVSS 8

Vulnerability Description

The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.

Related Vulnerabilities

CVE-2017-1000086

HIGH

CVSS:8.0(High)

The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete...

CWE-8622017

CVE-2018-10092

HIGH

CVSS:8.0(High)

The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.

CWE-8622018

CVE-2024-4163

HIGH

CVSS:8.0(High)

The Skylab IGX IIoT Gateway allowed users to connect to it via a limited shell terminal (IGX). However, it was discovered that the process was running under root privileges. This allowed the attacker ...

CWE-8622024

CVE-2025-23025

HIGH

CVSS:8.0(High)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**,...

CWE-8622025

CVE-2017-17707

HIGH

CVSS:8.1(High)

Due to missing authorization checks, any authenticated user is able to list, upload, or delete attachments to password safe entries in Pleasant Password Server before 7.8.3. To perform those actions o...

CWE-8622017

CVE-2020-11511

HIGH

CVSS:8.1(High)

The LearnPress plugin before 3.2.6.9 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter.

CWE-8622020