{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T09:53:59.329","vulnerabilities":[{"cve":{"id":"CVE-2025-14270","sourceIdentifier":"security@wordfence.com","published":"2026-02-19T07:17:34.523","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers."},{"lang":"es","value":"El plugin OneClick Chat to Order para WordPress es vulnerable a una omisión de autorización en versiones hasta la 1.0.9, inclusive. Esto se debe a que el plugin no verifica correctamente que un usuario está autorizado para realizar una acción en la función wa_order_number_save_number_field. Esto hace posible que atacantes autenticados, con acceso de nivel Editor o superior, modifiquen los números de teléfono de WhatsApp utilizados por el plugin, redirigiendo pedidos y mensajes de clientes a números de teléfono controlados por el atacante."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N","baseScore":2.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":1.4}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://cwe.mitre.org/data/definitions/862.html","source":"security@wordfence.com"},{"url":"https://developer.wordpress.org/plugins/security/checking-user-capabilities/","source":"security@wordfence.com"},{"url":"https://developer.wordpress.org/plugins/security/nonces/","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L156","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L26","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417664%40oneclick-whatsapp-order&new=3417664%40oneclick-whatsapp-order&sfp_email=&sfph_mail=","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102?source=cve","source":"security@wordfence.com"}]}}]}