WordPress Plugin Vulnerabilities

Call Now Button < 1.5.5 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

Description

The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc.
This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5

Affects Plugins

Plugin icon
call-now-button
Fixed in 1.5.5

References

CVE
CVE-2025-11632
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/379547a2-6b22-4ec9-8570-a043dda7ec09

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jamiryoo
Verified
No
WPVDB ID
46d9c1b2-af99-45bf-a211-44cec7a2b9b6

Timeline

Publicly Published
2025-10-29 (about 6 months ago)
Added
2025-10-29 (about 6 months ago)
Last Updated
2025-10-29 (about 6 months ago)

Other

Published
Title
Published
2024-06-03
Title
Debug Log Manager < 2.3.2 - Missing Authorization
Published
2025-03-24
Title
Top Bar <= 3.3 - Missing Authorization
Published
2025-12-25
Title
Document Revisions < 3.8.0 - Missing Authorization
Published
2026-04-07
Title
Hustle – Email Marketing, Lead Generation, Optins, Popups < 7.8.11 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation
Published
2024-03-28
Title
Social Icons Widget & Block by WPZOOM < 4.2.16 - Missing Authorization