High severity7.5NVD Advisory· Published Nov 22, 2025· Updated Apr 15, 2026
CVE-2025-13526
CVE-2025-13526
Description
The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.0.8
- Range: <=1.0.8
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.