CVE-2025-14270
Authorization Bypass in OneClick Chat to Order Plugin Allows Order Hijacking
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oneclick | chat_to_order | to 1.0.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14270 is a vulnerability in the OneClick Chat to Order WordPress plugin (version 1.0.9 and earlier) that allows an authorization bypass. Specifically, the plugin does not properly verify that a user is authorized to perform certain actions in the function wa_order_number_save_number_field.
This flaw enables authenticated users with Editor-level access or higher to modify WhatsApp phone numbers used by the plugin. By doing so, attackers can redirect customer orders and messages to phone numbers controlled by them.
The root cause is missing proper capability checks restricting management of WhatsApp numbers to administrators only. The plugin also lacked sufficient nonce verification to prevent unauthorized form submissions.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with Editor-level permissions or higher to maliciously change the WhatsApp phone numbers used for order processing in the plugin.
As a result, customer orders and messages intended for your business could be redirected to attacker-controlled phone numbers, potentially leading to loss of orders, customer confusion, fraud, or data interception.
Because the attack requires authenticated users with elevated privileges, it represents a privilege escalation risk within your WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized modification of WhatsApp phone numbers in the OneClick Chat to Order WordPress plugin by users with Editor-level access or higher. Detection involves verifying if unauthorized users have modified plugin settings or WhatsApp numbers.'}, {'type': 'paragraph', 'content': "You can check for suspicious changes in the plugin's custom post type entries for WhatsApp numbers (`wa-order-numbers`) by reviewing recent edits or modifications in the WordPress database or admin interface."}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation include:'}, {'type': 'list_item', 'content': 'Query the WordPress database for recent changes to the `wa-order-numbers` custom post type, for example using MySQL:'}, {'type': 'list_item', 'content': "```sql\nSELECT post_title, post_modified, post_modified_gmt, post_author FROM wp_posts WHERE post_type = 'wa-order-numbers' ORDER BY post_modified DESC LIMIT 10;\n```"}, {'type': 'list_item', 'content': 'Check WordPress user roles and capabilities to identify users with Editor or higher roles who may have accessed or modified these entries.'}, {'type': 'list_item', 'content': 'Review web server or application logs for POST requests to plugin endpoints related to WhatsApp number saving, especially those invoking the `wa_order_number_save_number_field` function.'}, {'type': 'list_item', 'content': 'Use WordPress security plugins or audit logs to track changes made to plugin settings or custom post types.'}, {'type': 'paragraph', 'content': 'Note that no specific detection commands are provided in the resources, but these general approaches can help identify unauthorized modifications related to this vulnerability.'}] [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the OneClick Chat to Order plugin to version 1.1.0 or later, where the vulnerability has been fixed by enforcing proper authorization checks.
- Update the plugin to version 1.1.0, which restricts WhatsApp number management to users with the `manage_options` capability (typically administrators).
- Ensure that only trusted users have Administrator roles and that Editor-level users do not have unnecessary elevated permissions.
- Verify that nonce verification is enabled and functioning properly to protect against CSRF attacks on plugin forms.
- Audit existing WhatsApp number entries to confirm they have not been maliciously altered.
Following these steps will prevent unauthorized users from modifying WhatsApp numbers and redirecting customer orders or messages.