OneClick Chat to Order Vulnerability – Authenticated Stored Cross-Site Scripting via Shortcode | WordPress Plugin Vulnerability Report

Plugin Name: OneClick Chat to Order

Key Information:

  • Software Type: Plugin
  • Software Slug: oneclick-whatsapp-order
  • Software Status: Active
  • Software Author: walterpinem
  • Software Downloads: 205,924
  • Active Installs: 30,000
  • Last Updated: January 8, 2024
  • Patched Versions: 1.0.6
  • Affected Versions: <= 1.0.5

Vulnerability Details:

  • Name: OneClick Chat to Order <= 1.0.5
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: NA
  • CVSS Score: 6.4
  • Publicly Published: January 8, 2024
  • Researcher: NA
  • Description: The OneClick Chat to Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level and above permissions can inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.


The OneClick Chat to Order plugin for WordPress has a vulnerability in versions up to and including 1.0.5, allowing authenticated attackers with contributor-level and above permissions to perform Stored Cross-Site Scripting. This vulnerability has been patched in version 1.0.6.

Detailed Overview:

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes within the plugin's shortcode(s). Authenticated attackers can exploit this to inject arbitrary web scripts, posing a risk to contributors and above. The patch in version 1.0.6 addresses this security concern.

Advice for Users:

  • Immediate Action: Update OneClick Chat to Order to version 1.0.6 or later.
  • Check for Signs of Vulnerability: Review your site for any unauthorized changes or injected scripts.
  • Alternate Plugins: Consider alternative plugins with similar functionality.
  • Stay Updated: Regularly update your WordPress plugins to the latest versions to avoid vulnerabilities.


The proactive response from the OneClick Chat to Order developers in releasing version 1.0.6 highlights the significance of timely updates. Users are advised to ensure they are running version 1.0.6 or later to secure their WordPress installations.


Simplifying Website Security for Busy Owners

As a busy website owner without ample time to stay on top of every threat, keeping your site secure can feel impossible. But vulnerabilities like the one recently patched in the OneClick Chat to Order plugin only reinforce why vigilance matters. In this post I’ll simplify security for you by clearly explaining this new vulnerability, your risk level, and quick actions you can take.

Understanding the OneClick Chat Vulnerability

OneClick Chat to Order helps over 30,000 WordPress users add chat features using platforms like WhatsApp. This week a security researcher disclosed a vulnerability in versions up to 1.0.5 enabling some authenticated users to inject malicious scripts without authorization.

Specifically, the bug stems from insufficient input sanitization in shortcodes. Users with contributor access and above could exploit this to introduce rogue JavaScript or HTML designed to trigger when other visitors load affected pages. Depending on the script’s nature this could enable nuisances like auto-playing audio/video rather than directly stealing data.

The developers have now released version 1.0.6 to fully fix the vulnerability, scoring a moderate 6.4 CVSS severity rating due to limiting the affected user roles. Still, OneClick Chat users face unnecessary risk until updating.

Assessing Your Site’s Risk Level

While branded moderately severe rather than extremely critical, the vulnerability still poses unnecessary website exposure risks if contributors freely add content. Attackers could leverage scripts for everything from annoying visitors to attempting drive-by malware downloads or mining cryptocurrency using visitor hardware.

The good news is that sites fully restricting contributor permissions likely face minimal real-world risk even before patching. But everyone should still update regardless since the vector exists without good reason. Ending unnecessary vulnerabilities keeps your site safer regardless of the low current exploitation probability.

Updating to Eliminate the Vulnerability

If OneClick Chat is active on your WordPress site, you should:

  • Immediately update to v1.0.6, which specifically repairs this bug by sanitizing data.
  • Check all shortcodes for anything suspicious or unintended.
  • Consider temporarily disabling shortcodes until assessing the script risk.
  • Restrict contributor permissions to only those powers legitimately needed.

Staying Secure Long-Term

As OneClick Chat to Order seems to be a relatively new plugin, I unfortunately could not find details on any previous vulnerabilities. However, staying vigilant about security remains crucial as all plugins carry inherent risks. I suggest considering reputable chat plugin alternatives with longer secure track records if this poses a concern for your site.

Regular plugin updates, minimizing unnecessary plugins, managed WordPress hosting solutions and other layers of defense remain wise as well to mitigate inevitable future threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

OneClick Chat to Order Vulnerability – Authenticated Stored Cross-Site Scripting via Shortcode | WordPress Plugin Vulnerability Report FAQs

Leave a Comment