Critical Vulnerability Patched: CVE-2025-13526 in OneClick Chat to Order WordPress Plugin

Overview

CVE-2025-13526 is a high-severity vulnerability affecting the OneClick Chat to Order plugin for WordPress. This vulnerability, present in versions up to and including 1.0.8, allows unauthenticated attackers to access sensitive customer order information by exploiting an Insecure Direct Object Reference (IDOR).

Technical Details

The vulnerability resides within the wa_order_thank_you_override function in the plugin’s code. Specifically, the plugin fails to properly validate user-supplied input for the order ID. An attacker can manipulate the order ID parameter in the URL to access details related to arbitrary orders within the system. This is a classic example of an IDOR vulnerability.

The vulnerable code is located in includes/buttons/wa-order-thank-you.php. Prior to the patch, the function did not check if the requesting user was authorized to view the order details associated with the provided order ID. This allowed any unauthenticated user to potentially view the information.

CVSS Analysis

• CVE ID: CVE-2025-13526
• Severity: HIGH
• CVSS Score: 7.5

A CVSS score of 7.5 indicates a high severity vulnerability. The vulnerability requires no privileges and can be exploited remotely without authentication. The impact is significant due to the potential compromise of sensitive data. The CVSS vector would likely be something like AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, highlighting the high confidentiality impact.

Possible Impact

Exploiting this vulnerability allows unauthenticated attackers to access a wide range of sensitive customer information, including:

• Names
• Email Addresses
• Phone Numbers
• Billing/Shipping Addresses
• Order Contents
• Payment Methods (potentially exposing sensitive payment information if stored within the order details)

This data breach could lead to identity theft, financial fraud, and reputational damage for both the affected website and its customers.

Mitigation and Patch Steps

The vulnerability has been patched in later versions of the OneClick Chat to Order plugin. It is strongly recommended that users of the plugin update to the latest version as soon as possible.

1. Update the Plugin: Log in to your WordPress dashboard and navigate to the “Plugins” section. Locate the “OneClick Chat to Order” plugin and update it to the latest available version.
2. Verify the Update: After updating, confirm that the plugin version is later than 1.0.8.

References

• Vulnerable Code Location (plugins.trac.wordpress.org)
• Patch Commit (plugins.trac.wordpress.org)
• Wordfence Threat Intelligence Report (wordfence.com)