WordPress Plugin Vulnerabilities

Call Now Button < 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update

Description

The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.

Affects Plugins

Plugin icon
call-now-button
Fixed in 1.5.4

References

CVE
CVE-2025-11587
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
5494295a-e9de-4a1e-a4c2-3a84048ec3ff

Timeline

Publicly Published
2025-10-28 (about 6 months ago)
Added
2025-10-29 (about 6 months ago)
Last Updated
2025-12-19 (about 5 months ago)

Other

Published
Title
Published
2022-03-30
Title
Advanced Custom Fields < 5.12.1 - Contributor+ Database Information Access
Published
2025-02-28
Title
Secure Copy Content Protection and Content Locking < 4.4.8 - Missing Authorization to Unauthenticated User Email Retrieval via ays_sccp_reports_user_search Function
Published
2024-06-14
Title
Infographic Maker iList < 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Title Update
Published
2026-01-28
Title
EventPrime < 4.2.8.1 - Missing Authorization
Published
2024-09-12
Title
WordPress Tag Cloud Plugin – Tag Groups < 2.0.4 - Missing Authorization to Information Exposure