Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.7
OneClick Chat to Order plugin for WordPress allows unauthorized access
CVE-2025-14270
Summary
The OneClick Chat to Order plugin for WordPress has a security flaw that allows attackers with certain access levels to change phone numbers used for customer orders and messages, potentially redirecting those communications to the attacker's own phone numbers. This affects versions of the plugin up to 1.0.9. To protect your site, update the plugin to the latest version.
Original title
The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is author...
Original description
The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.
nvd CVSS3.1
2.7
Vulnerability type
CWE-862
Missing Authorization
- https://cwe.mitre.org/data/definitions/862.html
- https://developer.wordpress.org/plugins/security/checking-user-capabilities/
- https://developer.wordpress.org/plugins/security/nonces/
- https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/in...
- https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/in...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026