CVE-2025-14270

The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cwe.mitre.org/data/definitions/862.html
https://developer.wordpress.org/plugins/security/checking-user-capabilities/
https://developer.wordpress.org/plugins/security/nonces/
https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L156
https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L26
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417664%40oneclick-whatsapp-order&new=3417664%40oneclick-whatsapp-order&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102?source=cve

Configurations

No configuration.

History

19 Feb 2026, 07:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-19 07:17

Updated : 2026-02-19 15:53

NVD link : CVE-2025-14270

Mitre link : CVE-2025-14270

CVE.ORG link : CVE-2025-14270

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

{"id": "CVE-2025-14270", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "published": "2026-02-19T07:17:34.523", "references": [{"url": "https://cwe.mitre.org/data/definitions/862.html", "source": "security@wordfence.com"}, {"url": "https://developer.wordpress.org/plugins/security/checking-user-capabilities/", "source": "security@wordfence.com"}, {"url": "https://developer.wordpress.org/plugins/security/nonces/", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L156", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L26", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417664%40oneclick-whatsapp-order&new=3417664%40oneclick-whatsapp-order&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers."}], "lastModified": "2026-02-19T15:53:02.850", "sourceIdentifier": "security@wordfence.com"}