OneClick Chat to Order
Moderate fix1 remedy
cpe:2.3:a:onlinestorekit:oneclick_chat_to_order:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.0.8
OneClick Chat to Order WordPress Plugin Insecure Direct Object Reference Vulnerability
Vulnerability
Patched
A vulnerability exists in the OneClick Chat to Order plugin for WordPress, specifically in versions through 1.0.8. The issue is an Insecure Direct Object Reference (IDOR) that allows unauthenticated attackers to access sensitive customer information. This vulnerability arises from the 'wa_order_thank_you_override' function, which lacks proper validation on user-controlled keys. By simply altering the order ID in the URL, attackers can retrieve confidential data such as names, email addresses, phone numbers, billing and shipping addresses, order details, and payment methods.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive customer information, including personal details and order-related data.
Reproduction
To reproduce this vulnerability, an unauthenticated user can change the order ID in the URL to access the 'wa_order_thank_you_override' function. This bypasses the lack of validation on user-controlled keys, allowing the retrieval of sensitive customer information.
Remediation
Users are advised to update the OneClick Chat to Order plugin to version 1.0.9 or later.
Added: Nov 22, 2025, 11:17 AM
Updated: Nov 22, 2025, 11:17 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
2.5exploitability
9.3remediation
7.7relevance
1.1threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.