CVE-2025-13526 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the OneClick Chat to Order plugin for WordPress, affecting all versions up to and including 1.0.8. The vulnerability exists due to the 'wa_order_thank_you_override' function failing to validate user-controlled input, specifically the order ID parameter in the URL. This lack of validation enables unauthenticated attackers to manipulate the order ID and retrieve sensitive customer information without any authentication or user interaction. The exposed data includes personally identifiable information (PII) such as customer names, email addresses, phone numbers, billing and shipping addresses, order contents, and payment methods. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, resulting in a high confidentiality impact but no impact on integrity or availability. While no public exploits have been reported yet, the flaw represents a significant risk for data leakage. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS v3.1 base score of 7.5, indicating a high severity level. The absence of patches at the time of disclosure necessitates immediate attention from administrators to implement compensating controls or disable the plugin until a fix is available.

For European organizations, this vulnerability poses a substantial risk of unauthorized disclosure of sensitive customer data, which can lead to privacy violations, reputational damage, and regulatory penalties under GDPR. The exposure of PII and payment information can facilitate identity theft, fraud, and targeted phishing attacks. E-commerce businesses relying on the OneClick Chat to Order plugin may suffer customer trust erosion and potential financial losses. Since the vulnerability requires no authentication or user interaction, attackers can easily automate exploitation at scale, increasing the likelihood of widespread data breaches. Additionally, organizations may face legal consequences due to non-compliance with data protection laws, especially if they fail to secure customer data adequately. The impact is particularly critical for sectors handling large volumes of customer transactions, such as retail, travel, and services industries prevalent in Europe.

1. Immediately audit WordPress sites to identify installations of the OneClick Chat to Order plugin and verify the version in use. 2. Disable or uninstall the plugin until an official security patch is released by the vendor. 3. If disabling the plugin is not feasible, implement web application firewall (WAF) rules to block or monitor requests containing suspicious order ID manipulations targeting the 'wa_order_thank_you_override' function. 4. Restrict access to order-related URLs by enforcing authentication and authorization checks at the web server or application level. 5. Monitor server logs for unusual access patterns or repeated attempts to access order details with varying order IDs. 6. Educate site administrators on the risks of insecure direct object references and encourage timely updates of all plugins. 7. Once a patch is available, apply it promptly and verify that proper input validation and access controls are enforced. 8. Conduct regular security assessments and penetration testing focusing on IDOR and other access control vulnerabilities in e-commerce plugins.