CVE-2025-13526: 
WordPress 脆弱性の分析と軽減

The OneClick Chat to Order plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2025-13526) affecting all versions up to and including 1.0.8. The vulnerability was discovered in November 2025 and was patched in version 1.0.9. The issue exists in the 'waorderthankyouoverride' function due to missing validation on a user-controlled key (NVD, WordPress Changeset).

The vulnerability stems from insufficient authorization checks in the 'waorderthankyouoverride' function, which allows unauthenticated attackers to access sensitive order information by manipulating the order ID in the URL. The CVSS v3.1 score is 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

When exploited, this vulnerability allows unauthorized users to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods (NVD).

The vulnerability has been patched in version 1.0.9 of the OneClick Chat to Order plugin. The update implements proper authorization checks to ensure users can only view their own orders or orders they have permission to access. The patch includes user permission checks, admin access control, and guest order protection following WooCommerce standards. Users are strongly recommended to update immediately to version 1.0.9 (WordPress Changeset).