WordPress Tawk.To Live Chat plugin <= 0.5.5 - Visitor Monitoring & Chat Removal vulnerability

Visitor Monitoring & Chat Removal vulnerability discovered by Quentin VILLAIN 3wsec in WordPress Tawk.To Live Chat plugin versions = 0.5.5. Solution Update the WordPress Tawk.To Live Chat plugin to the latest available version at least 0.6.0...

Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal

The plugin does not have capability and CSRF checks in the tawktosetwidget and tawktoremovewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users including simple subscribers to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-i...