← Voltar para CVEs

CVE-2025-14270

LOW

2.7

Descricao

The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.

Detalhes CVE

Pontuacao CVSS v3.12.7

SeveridadeLOW

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosHIGH

Interacao do usuarioNONE

Publicado2/19/2026

Ultima modificacao2/19/2026

Fontenvd

Avistamentos honeypot0

Fraquezas (CWE)

CWE-862

Referencias

https://cwe.mitre.org/data/definitions/862.html(security@wordfence.com)

https://developer.wordpress.org/plugins/security/checking-user-capabilities/(security@wordfence.com)

https://developer.wordpress.org/plugins/security/nonces/(security@wordfence.com)

https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L156(security@wordfence.com)

https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L26(security@wordfence.com)

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417664%40oneclick-whatsapp-order&new=3417664%40oneclick-whatsapp-order&sfp_email=&sfph_mail=(security@wordfence.com)

https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102?source=cve(security@wordfence.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.