CVE-2025-13526

Name of the Vulnerable Software and Affected Versions OneClick Chat to Order plugin for WordPress versions up to and including 1.0.8

Description The OneClick Chat to Order plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of validation on a user-controlled key within the wa order thank you override function. An unauthenticated attacker can potentially view sensitive customer information, including names, email addresses, phone numbers, billing and shipping addresses, order contents, and payment methods, by modifying the order ID in the URL.

Recommendations Versions prior to 1.0.8 should be updated. As a temporary workaround, restrict access to the wa order thank you override function until a patch is available.