A high-severity vulnerability has been identified in the "OneClick Chat to Order" plugin for WordPress. This flaw, known as an Insecure Direct Object Reference (IDOR), could allow an unauthorized attacker to access, modify, or delete sensitive data, such as customer orders or private chat messages, by manipulating web requests. Immediate patching is required to prevent potential data breaches and protect customer information.

The vulnerability is an Insecure Direct Object Reference (IDOR). The plugin fails to properly validate user authorization when accessing data objects like orders or chat sessions. An authenticated attacker, even with low privileges, can exploit this by modifying the identifier value (e.g., an order ID or user ID) in their web requests. Because the backend does not verify that the user making the request is the legitimate owner of the requested data, the server will improperly grant access, allowing the attacker to view, modify, or delete information belonging to other users.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, exposing sensitive customer information, order details, and private communications. The business consequences include reputational damage, loss of customer trust, and potential financial liability from regulatory fines (e.g., GDPR, CCPA). Unauthorized modification of order data could also result in direct financial loss and operational disruption.

Immediate Action:

• Identify all WordPress sites using the "OneClick Chat to Order" plugin and immediately update it to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, the recommended course of action is to deactivate and uninstall it to completely remove the attack surface.

Proactive Monitoring:

• Review web server access logs for suspicious patterns, such as a single IP address making multiple requests to plugin endpoints with sequentially numbered or rapidly changing identifiers.
• Configure WordPress security monitoring tools to alert on unusual activity related to the affected plugin's functions.
• Monitor for any unauthorized changes to user accounts or order data within the WordPress dashboard.

Compensating Controls:

• Implement a Web Application Firewall (WAF) with rules designed to detect and block common IDOR attack patterns.
• Enforce the principle of least privilege for all WordPress user roles to limit the potential impact of a compromised account.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.

Public Exploit Available: false

Given the high-severity CVSS score of 7.5 and the direct risk of a sensitive data breach, we strongly recommend that organizations treat this vulnerability with high priority. All instances of the "OneClick Chat to Order" plugin must be identified and patched immediately. Although this CVE is not currently listed on the CISA KEV catalog, the potential for significant business impact warrants immediate and decisive action to mitigate the risk.