CVE-2025-14270

LOW

OneClick Chat to Order <=1.0.9 - Auth Bypass

Title source: llm

Description

The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.

References (7)

Core 7

Core References

Product

https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L156

Product

https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L26

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417664%40oneclick-whatsapp-order&new=3417664%40oneclick-whatsapp-order&sfp_email=&sfph_mail=

Product

https://developer.wordpress.org/plugins/security/checking-user-capabilities/

Product

https://developer.wordpress.org/plugins/security/nonces/

Various Sources

https://cwe.mitre.org/data/definitions/862.html

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102?source=cve

Scores

CVSS v3 2.7

EPSS 0.0031

EPSS Percentile 23.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

walterpinem/OneClick Chat to Order < 1.0.9

Published Feb 19, 2026

Tracked Since Feb 19, 2026