Description
The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL.
Published: 2025-11-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive customer data exposure
Action: Apply Patch
AI Analysis

Impact

The OneClick Chat to Order WordPress plugin contains an Insecure Direct Object Reference that allows unauthenticated users to retrieve confidential customer information such as names, emails, phone numbers, billing and shipping addresses, order contents and payment methods. The vulnerability stems from missing validation on the "wa_order_thank_you_override" endpoint, which is classified as a confidentiality breach (CWE-200).

Affected Systems

The flaw is present in the OneClick Chat to Order plugin by walterpinem and affects every release up to and including version 1.0.8. Any WordPress site that has a vulnerable version of this plugin installed is susceptible to the data exposure attack.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity. An EPSS score of less than 1% suggests a very low probability of large-scale exploitation, yet the lack of authentication requirements means that any user can manifest the flaw by altering the order ID in the URL. The attack path is straightforward: a malicious actor iterates or guesses order identifiers in the thank‑you endpoint to harvest sensitive data. The vulnerability is not currently listed in the CISA KEV catalog, but its potential for privacy violations and downstream fraud remains significant.

Generated by OpenCVE AI on April 22, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OneClick Chat to Order plugin to the most recent release that contains the IDOR fix.
  • If an upgrade is not immediately possible, block external access to the "wa_order_thank_you_override" endpoint by implementing an authentication requirement or using server‑side access controls such as .htaccess rules.
  • Add server‑side validation that ensures an order ID is associated with the current user session or that the request originates from an authorized source before rendering the thank‑you page.

Generated by OpenCVE AI on April 22, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Walterpinem
Walterpinem oneclick Chat To Order
Wordpress
Wordpress wordpress
Vendors & Products Walterpinem
Walterpinem oneclick Chat To Order
Wordpress
Wordpress wordpress

Sat, 22 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL.
Title OneClick Chat to Order <= 1.0.8 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Walterpinem Oneclick Chat To Order
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:21.023Z

Reserved: 2025-11-21T19:46:22.700Z

Link: CVE-2025-13526

cve-icon Vulnrichment

Updated: 2025-11-24T19:35:42.981Z

cve-icon NVD

Status : Deferred

Published: 2025-11-22T11:15:48.857

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses