CVE-2025-13526 identifies a critical security flaw in the OneClick Chat to Order plugin for WordPress, specifically in all versions up to and including 1.0.8. The vulnerability is an Insecure Direct Object Reference (IDOR) caused by the 'wa_order_thank_you_override' function failing to validate a user-controlled key parameter. This missing validation allows unauthenticated attackers to alter the order ID in the URL and retrieve sensitive customer information without any authentication or user interaction. The exposed data includes personally identifiable information (PII) such as customer names, email addresses, phone numbers, billing and shipping addresses, order contents, and payment methods, which could be exploited for identity theft, fraud, or targeted phishing attacks. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, as reflected in its CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). While no public exploits have been reported yet, the nature of the flaw makes it a prime target for attackers seeking to harvest sensitive data from WordPress e-commerce sites using this plugin. The lack of patches at the time of disclosure increases the urgency for mitigation. This vulnerability falls under CWE-200, indicating exposure of sensitive information to unauthorized actors.

The primary impact of CVE-2025-13526 is the unauthorized disclosure of sensitive customer data, which can lead to severe privacy violations and regulatory non-compliance (e.g., GDPR, CCPA). Organizations operating WordPress sites with the vulnerable OneClick Chat to Order plugin risk data breaches that could damage customer trust, result in financial losses, and invite legal penalties. Attackers could leverage the exposed information for identity theft, financial fraud, social engineering, and targeted phishing campaigns. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, potentially affecting any publicly accessible WordPress site using this plugin. The integrity and availability of systems are not directly impacted, but the confidentiality breach alone is significant. The exposure of payment method details further elevates the risk of financial fraud. The vulnerability could also be used as a stepping stone for more complex attacks if combined with other vulnerabilities.

1. Immediate mitigation involves disabling or uninstalling the OneClick Chat to Order plugin until a security patch is released. 2. Monitor official vendor channels and WordPress plugin repositories for updates or patches addressing CVE-2025-13526 and apply them promptly. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting to manipulate order ID parameters in URLs. 4. Restrict access to order-related endpoints by IP whitelisting or requiring authentication where feasible to reduce exposure. 5. Conduct thorough audits of customer data access logs to detect any unauthorized access attempts. 6. Educate site administrators on the risks of using outdated or unpatched plugins and enforce strict plugin update policies. 7. Consider additional data encryption at rest and in transit to protect sensitive information. 8. Review and minimize the amount of sensitive data stored or displayed via plugins to reduce potential exposure. 9. Engage in regular vulnerability scanning and penetration testing focused on IDOR and similar access control issues.