CVE-2025-45960 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-45960?

CVE-2025-45960 has a CVSS score of 6.1 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in tawk.to Live Chat v1.6.1 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects websites using the vulnerable tawk.to Live Chat plugin, potentially compromising user sessions and data.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in tawk.to Live Chat v1.6.1 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects websites using the vulnerable tawk.to Live Chat plugin, potentially compromising user sessions and data.

💻 Affected Systems

Products:

tawk.to Live Chat

Versions: v1.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects websites using the vulnerable tawk.to Live Chat plugin version.

📦 What is this software?

Tawk.to by Tawk

View all CVEs affecting Tawk.to →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, redirect users to malicious sites, perform actions on behalf of users, or deface the website.

🟠

Likely Case

Session hijacking, credential theft, or malicious redirects affecting users who interact with the chat interface.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on GitHub. Exploitation requires user interaction with the chat interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://tawkto.com

Restart Required: No

Instructions:

Check tawk.to website for security updates. Remove or disable the plugin until a patch is available.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers

Disable tawk.to Live Chat

all

Temporarily disable the vulnerable plugin

Remove or comment out tawk.to script tags from web pages

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Monitor for suspicious chat input patterns and block malicious users

🔍 How to Verify

Check if Vulnerable:

Check if tawk.to Live Chat v1.6.1 is installed by reviewing plugin/script versions on web pages

Check Version:

Inspect webpage source for tawk.to script tags and version information

Verify Fix Applied:

Test chat input fields with XSS payloads like <script>alert('test')</script> and verify they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual chat input patterns containing script tags or JavaScript code
Multiple failed XSS attempts in chat logs

Network Indicators:

HTTP requests containing XSS payloads to chat endpoints
Unexpected external script loads from chat interactions

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND uri="*chat*"

📊 Metadata

CVE ID: CVE-2025-45960

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.8th percentile)

Published: July 25, 2025

Last Updated: October 14, 2025

🔗 References

http://tawkto.com Product
https://github.com/pracharapol/CVE-2025-45960 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45960, you might also want to check these: