CVE-2025-13526 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the OneClick Chat to Order plugin for WordPress, specifically versions up to and including 1.0.8. The vulnerability arises from an Insecure Direct Object Reference (IDOR) in the 'wa_order_thank_you_override' function, where the plugin fails to validate a user-controlled key parameter that corresponds to the order ID. This lack of validation allows unauthenticated attackers to manipulate the order ID parameter in the URL to access sensitive customer data associated with other orders. The exposed data includes personally identifiable information (PII) such as customer names, email addresses, phone numbers, billing and shipping addresses, order contents, and payment method details. The vulnerability can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers scanning for vulnerable sites. Although no known exploits are currently in the wild, the vulnerability's nature and ease of exploitation make it a critical privacy and security concern. The CVSS v3.1 base score of 7.5 reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on confidentiality, with no impact on integrity or availability. The vulnerability was published on November 22, 2025, and is assigned by Wordfence. No official patches or fixes have been linked yet, indicating that affected sites remain vulnerable until updates are released and applied.

For European organizations, the exposure of sensitive customer information through this vulnerability can lead to severe privacy breaches, undermining customer trust and damaging brand reputation. The leakage of PII and payment details can facilitate identity theft, fraud, and targeted phishing attacks. Additionally, under the EU General Data Protection Regulation (GDPR), unauthorized disclosure of personal data can result in substantial fines and legal consequences. E-commerce businesses relying on the OneClick Chat to Order plugin are particularly at risk, as customer order data is central to their operations. The vulnerability does not affect system integrity or availability directly but compromises confidentiality, which is critical for compliance and customer trust. Organizations may also face operational disruptions if they need to take vulnerable systems offline or conduct extensive incident response. The risk is heightened for businesses with large customer bases or those handling sensitive payment information. The lack of authentication and user interaction requirements means attackers can exploit the flaw at scale, increasing the potential impact across multiple organizations.

European organizations should immediately audit their WordPress installations to identify the presence of the OneClick Chat to Order plugin and its version. Until an official patch is released, organizations should consider disabling or removing the plugin to prevent exploitation. Implementing web application firewall (WAF) rules to detect and block suspicious requests attempting to manipulate order ID parameters can provide temporary protection. Restricting access to order-related URLs by IP whitelisting or requiring authentication can also mitigate risk. Developers and site administrators should enforce strict input validation and authorization checks on all user-supplied parameters, ensuring that users can only access their own order data. Monitoring web server logs for unusual access patterns targeting order IDs can help detect exploitation attempts. Once a patch is available, prompt application and testing of the update is critical. Additionally, organizations should review their data protection policies and incident response plans to prepare for potential data breach notifications and compliance requirements.