{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13526", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-21T19:46:22.700Z", "datePublished": "2025-11-22T11:08:38.686Z", "dateUpdated": "2026-04-08T16:53:21.023Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:21.023Z"}, "affected": [{"vendor": "walterpinem", "product": "OneClick Chat to Order", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL."}], "title": "OneClick Chat to Order <= 1.0.8 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/547a0c73-044e-49ba-9bec-4f80b41b8ea2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/trunk/includes/buttons/wa-order-thank-you.php#L126"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391625/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md Shofiur Rahman"}], "timeline": [{"time": "2025-11-21T22:24:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T19:35:37.004916Z", "id": "CVE-2025-13526", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T19:35:47.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-24T19:35:37.004916Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T19:35:42.981Z"}}], "cna": {"title": "OneClick Chat to Order <= 1.0.8 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Md Shofiur Rahman"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "walterpinem", "product": "OneClick Chat to Order", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-21T22:24:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/547a0c73-044e-49ba-9bec-4f80b41b8ea2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/trunk/includes/buttons/wa-order-thank-you.php#L126"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391625/"}], "descriptions": [{"lang": "en", "value": "The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:21.023Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13526", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:21.023Z", "dateReserved": "2025-11-21T19:46:22.700Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-22T11:08:38.686Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL."}], "id": "CVE-2025-13526", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-22T11:15:48.857", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/trunk/includes/buttons/wa-order-thank-you.php#L126"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3391625/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/547a0c73-044e-49ba-9bec-4f80b41b8ea2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:27:32.283472+00:00", "value": {"mitigation_remediation": ["Upgrade the OneClick Chat to Order plugin to the most recent release that contains the IDOR fix.", "If an upgrade is not immediately possible, block external access to the \"wa_order_thank_you_override\" endpoint by implementing an authentication requirement or using server\u2011side access controls such as .htaccess rules.", "Add server\u2011side validation that ensures an order ID is associated with the current user session or that the request originates from an authorized source before rendering the thank\u2011you page."], "summary": {"action": "Apply Patch", "impact": "Sensitive customer data exposure"}, "threat_synthesis": {"affected_systems": "The flaw is present in the OneClick Chat to Order plugin by walterpinem and affects every release up to and including version 1.0.8. Any WordPress site that has a vulnerable version of this plugin installed is susceptible to the data exposure attack.", "description_and_impact": "The OneClick Chat to Order WordPress plugin contains an Insecure Direct Object Reference that allows unauthenticated users to retrieve confidential customer information such as names, emails, phone numbers, billing and shipping addresses, order contents and payment methods. The vulnerability stems from missing validation on the \"wa_order_thank_you_override\" endpoint, which is classified as a confidentiality breach (CWE-200).", "risk_and_exploitability": "The CVSS base score of 7.5 indicates high severity. An EPSS score of less than 1% suggests a very low probability of large-scale exploitation, yet the lack of authentication requirements means that any user can manifest the flaw by altering the order ID in the URL. The attack path is straightforward: a malicious actor iterates or guesses order identifiers in the thank\u2011you endpoint to harvest sensitive data. The vulnerability is not currently listed in the CISA KEV catalog, but its potential for privacy violations and downstream fraud remains significant."}}}}, "created": "2025-11-24T09:08:21.375339+00:00", "updated": "2026-04-22T00:30:04.055479+00:00", "vendors": ["walterpinem", "walterpinem$PRODUCT$oneclick_chat_to_order", "wordpress", "wordpress$PRODUCT$wordpress"]}