Vulnerabilities and security researches foroneclick-whatsapp-order oneclick-whatsapp-order

Jun 07, 2024

CVE, Research URL: CVE-2024-29789
Home page URL: Security reports for OneClick Chat to Order
Application: OneClick Chat to Order
Date: Mar 27, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Walter Pinem OneClick Chat to Order allows Stored XSS.This issue affects OneClick Chat to Order: from n/a through 1.0.5.
Affected versions: max 1.0.6.
Status: vulnerable

CVE, Research URL: CVE-2023-47546
Home page URL: Security reports for OneClick Chat to Order
Application: OneClick Chat to Order
Date: Nov 15, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Walter Pinem OneClick Chat to Order plugin <= 1.0.4.2 versions.
Affected versions: max 1.0.6.
Status: vulnerable

CVE, Research URL: CVE-2022-4760
Home page URL: Security reports for OneClick Chat to Order
Application: OneClick Chat to Order
Date: Jan 23, 2023
Research Description: The OneClick Chat to Order WordPress plugin before 1.0.4.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Affected versions: max 1.0.4.2.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-13526
Home page URL: Security reports for OneClick Chat to Order
Application: OneClick Chat to Order
Date: Nov 22, 2025
Research Description: The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL.
Affected versions: max 1.0.9.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2025-14270
Home page URL: Security reports for OneClick Chat to Order
Application: OneClick Chat to Order
Date: Feb 19, 2026
Research Description: The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.
Affected versions: max 1.1.0.
Status: vulnerable