Low severity2.7NVD Advisory· Published Feb 19, 2026· Updated Apr 15, 2026
CVE-2025-14270
CVE-2025-14270
Description
The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- cwe.mitre.org/data/definitions/862.htmlnvd
- developer.wordpress.org/plugins/security/checking-user-capabilities/nvd
- developer.wordpress.org/plugins/security/nonces/nvd
- plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.phpnvd
- plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102nvd
News mentions
0No linked articles in our index yet.