CVE-2025-45960 is a Cross Site Scripting (XSS) vulnerability identified in the tawk.to Live Chat application version 1.6.1. This vulnerability arises because the web application accepts user-supplied input and stores and displays it without proper input validation or output encoding. As a result, a remote attacker can inject malicious scripts that execute arbitrary code within the context of the victim's browser session. The vulnerability is classified as a stored XSS, meaning the malicious payload is saved on the server and served to other users, increasing the attack's reach and persistence. Exploiting this flaw could allow attackers to hijack user sessions, steal sensitive information such as cookies or authentication tokens, perform actions on behalf of users, or deliver further malware. The vulnerability does not require authentication or user interaction beyond visiting a compromised page or interacting with the chat widget. Although no known exploits are currently reported in the wild and no CVSS score has been assigned, the nature of stored XSS vulnerabilities typically represents a significant security risk. The lack of a patch link suggests that a fix may not yet be publicly available, underscoring the need for immediate mitigation efforts by affected organizations.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on the tawk.to Live Chat service to interact with customers or provide support. Exploitation could lead to unauthorized access to user accounts, leakage of personal data protected under GDPR, and damage to organizational reputation. Given the sensitivity of customer interactions and the potential for session hijacking, attackers could impersonate legitimate users or administrators, leading to fraudulent transactions or unauthorized data access. Additionally, the persistent nature of stored XSS increases the risk of widespread compromise across multiple users. This could also facilitate phishing attacks or malware distribution targeting European users. Organizations in sectors such as e-commerce, finance, healthcare, and public services, where live chat is commonly used, may face regulatory penalties if personal data is compromised due to this vulnerability.

To mitigate this vulnerability, organizations should first verify if they are using tawk.to Live Chat version 1.6.1 or earlier and monitor for any official patches or updates from the vendor. In the absence of an official patch, immediate steps include implementing Web Application Firewall (WAF) rules to detect and block malicious input patterns associated with XSS attacks targeting the chat interface. Input sanitization and output encoding should be enforced at the application layer, either by customizing the chat widget if possible or by proxying chat traffic through a security gateway that performs these functions. Organizations should also conduct thorough security testing of their live chat implementation to identify and remediate any injection points. User education and awareness campaigns can help reduce the risk of successful social engineering attacks leveraging this vulnerability. Finally, monitoring logs for unusual activity related to the chat service and establishing incident response procedures specific to web application attacks will enhance preparedness.