OneClick Chat to Order, CVE-2025-13526

CVE, Research URL: CVE-2025-13526
Home page URL: Security reports for OneClick Chat to Order
Application: OneClick Chat to Order
Published on: Nov 22, 2025
Research Description: The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL.
Affected versions: max 1.0.9.
Status: vulnerable