WP-Safety
CVE-2025-14270

OneClick Chat to Order <= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update

lowMissing Authorization
2.7
CVSS Score
2.7
CVSS Score
low
Severity
1.1.0
Patched in
1d
Time to patch

Description

The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.9
PublishedFebruary 18, 2026
Last updatedFebruary 19, 2026
Affected pluginoneclick-whatsapp-order

Source Code

WordPress.org SVN
Vulnerable v1.0.9
Browse source Download .zip
Patched v1.1.0
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-14270 ## 1. Vulnerability Summary The **OneClick Chat to Order** plugin (up to v1.0.9) contains a missing authorization vulnerability in the function `wa_order_number_save_number_field`. This function is responsible for updating the WhatsApp phone number used …

Show full research plan

Exploitation Research Plan: CVE-2025-14270

1. Vulnerability Summary

The OneClick Chat to Order plugin (up to v1.0.9) contains a missing authorization vulnerability in the function wa_order_number_save_number_field. This function is responsible for updating the WhatsApp phone number used for customer redirects. Because the function fails to verify that the requesting user has administrative privileges (e.g., manage_options), any authenticated user with access to the WordPress dashboard—specifically Editors and above—can trigger this function to modify the plugin's core settings.

2. Attack Vector Analysis

  • Endpoint: Admin-side initialization hook (typically admin_init).
  • HTTP Method: POST (or GET if the function does not explicitly check the request method, but usually POST for settings updates).
  • Vulnerable Function: wa_order_number_save_number_field (inferred to be located in the main plugin file or an admin-specific includes file).
  • Payload Parameter: wa_order_number (inferred from function name).
  • Authentication: Authenticated as Editor (capability: edit_posts).
  • Preconditions: The plugin must be active. The attacker must have Editor-level credentials.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an action: add_action('admin_init', 'wa_order_number_save_number_field');.
  2. Trigger: An Editor user logs in and accesses any page in /wp-admin/. The admin_init hook fires for all administrative requests.
  3. Execution:
    • The function wa_order_number_save_number_field() is called.
    • It likely checks if isset($_POST['wa_order_number']).
    • It fails to perform a current_user_can('manage_options') check.
    • It may or may not perform a nonce check (check_admin_referer). If it does, the Editor must obtain the nonce from the settings page first.
  4. Sink: update_option('wa_order_number', sanitize_text_field($_POST['wa_order_number'])); is executed, overwriting the legitimate business WhatsApp number.

4. Nonce Acquisition Strategy

If the function performs a nonce check, the Editor can obtain it by visiting the plugin's settings page, as Editors typically have access to view (but not necessarily save) most admin menus unless explicitly restricted.

  1. Locate Settings Page: Find where the WhatsApp number is configured (e.g., admin.php?page=wa-order-settings).
  2. Navigate: Use browser_navigate to go to the settings page.
  3. Extract Nonce:
    • Identify the nonce field name (e.g., _wpnonce or a custom identifier like wa_order_nonce).
    • Use browser_eval to extract it:
      // Example: checking for standard WP nonce fields or specific plugin fields
document.querySelector('input[name="_wpnonce"]')?.value || 
document.querySelector('#wa_order_number_nonce')?.value
  4. Bypass Check: If no nonce check exists, the POST request can be sent directly to wp-admin/admin-post.php or any admin URL.

5. Exploitation Strategy

Step 1: Editor Authentication

Log in to the WordPress instance as a user with the Editor role.

Step 2: Discovery

Identify the exact POST parameters and the required nonce (if any).

  • Search the source for wa_order_number_save_number_field to see exactly which $_POST keys it looks for.
  • Look for wp_nonce_field in the settings page template.

Step 3: Payload Delivery

Send a POST request to trigger the update.

Request Template:

  • URL: http://localhost:8080/wp-admin/admin-init.php (or simply wp-admin/index.php with POST data)
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    wa_order_number=+1234567890&_wpnonce=[EXTRACTED_NONCE]&action=[IF_HOOKED_TO_ADMIN_POST]

Note: Since the function is hooked to admin_init, any request to an admin page with the correct POST parameters will trigger it.

6. Test Data Setup

  1. Plugin Installation: Install and activate oneclick-whatsapp-order v1.0.9.
  2. Initial Config: Set a "legitimate" number via the Admin account:
    wp option update wa_order_number "+1555000111"
  3. Attacker Account: Create an Editor user:
    wp user create attacker attacker@example.com --role=editor --user_pass=password123

7. Expected Results

  • The server responds with a 200 OK or a 302 Redirect back to the admin dashboard.
  • No "You do not have sufficient permissions" error is shown (which would occur if current_user_can was properly implemented).
  • The value of the wa_order_number option in the database is updated to the attacker's value.

8. Verification Steps

After the exploit attempt, verify the database state using WP-CLI:

wp option get wa_order_number

Success Criteria: The output matches +1234567890 (the attacker's number) instead of the original +1555000111.

9. Alternative Approaches

  • CSRF Check: If there is no nonce check, the exploit can be converted into a CSRF attack targeting an Administrator.
  • REST API: Check if the plugin registers a REST route (via register_rest_route) that uses the same vulnerable function or logic, as REST routes often have different authorization callback requirements.
  • Direct Option Update: If the plugin uses the Settings API (register_setting), check if the option_group is accessible to non-admins.
Research Findings
Static analysis — not yet PoC-verified

Summary

The OneClick Chat to Order plugin for WordPress is vulnerable to an authorization bypass in the `wa_order_number_save_number_field` function. Because this function is hooked to `admin_init` without capability checks, authenticated users with Editor-level access can overwrite the plugin's WhatsApp phone number settings, redirecting potential customer orders to an attacker-controlled number.

Vulnerable Code

// Inferred from plugin architecture and research plan
// File: oneclick-whatsapp-order.php

add_action('admin_init', 'wa_order_number_save_number_field');

function wa_order_number_save_number_field() {
    if (isset($_POST['wa_order_number'])) {
        update_option('wa_order_number', sanitize_text_field($_POST['wa_order_number']));
    }
}

Security Fix

--- a/oneclick-whatsapp-order.php
+++ b/oneclick-whatsapp-order.php
@@ -10,6 +10,10 @@
  */
 function wa_order_number_save_number_field() {
+	if ( ! current_user_can( 'manage_options' ) ) {
+		return;
+	}
+
 	if ( isset( $_POST['wa_order_number'] ) ) {
 		update_option( 'wa_order_number', sanitize_text_field( $_POST['wa_order_number'] ) );
 	}

Exploit Outline

The exploit requires an attacker to have at least Editor-level authentication on the WordPress site. The attacker sends a POST request to any administrative URL (e.g., /wp-admin/index.php) containing the parameter 'wa_order_number' with a value of the attacker's choosing. Because the plugin hooks the vulnerable function to 'admin_init'—which runs on every admin page load—and fails to verify user capabilities via 'current_user_can', the 'wa_order_number' option in the database is updated to the attacker's supplied phone number. If a nonce check is present, the Editor can retrieve the valid nonce from the plugin's settings page prior to making the request.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database