{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11587", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-10T12:10:27.428Z", "datePublished": "2025-10-29T12:31:51.684Z", "dateUpdated": "2025-12-19T15:40:51.778Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-19T15:40:51.778Z"}, "affected": [{"vendor": "jgrietveld", "product": "Call Now Button \u2013 The #1 Click to Call Button for WordPress", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.5.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Call Now Button \u2013 The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key."}], "title": "Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/api-key/class-ott-controller.php#L27"}, {"url": "https://research.cleantalk.org/cve-2025-11587/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-09-26T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2025-10-10T21:23:44.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-28T23:59:27.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-29T13:15:44.175413Z", "id": "CVE-2025-11587", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T13:21:28.252Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11587", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-29T13:15:44.175413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T13:19:17.113Z"}}], "cna": {"title": "Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "jgrietveld", "product": "Call Now Button \u2013 The #1 Click to Call Button for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-26T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-10-10T21:23:44.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-28T23:59:27.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/api-key/class-ott-controller.php#L27"}, {"url": "https://research.cleantalk.org/cve-2025-11587/"}], "descriptions": [{"lang": "en", "value": "The Call Now Button \u2013 The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-19T15:40:51.778Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11587", "state": "PUBLISHED", "dateUpdated": "2025-12-19T15:40:51.778Z", "dateReserved": "2025-10-10T12:10:27.428Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-29T12:31:51.684Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Call Now Button \u2013 The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key."}], "id": "CVE-2025-11587", "lastModified": "2025-12-19T16:15:53.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-29T13:15:34.350", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/api-key/class-ott-controller.php#L27"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-11587/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"created": "2025-10-30T14:38:33.808824+00:00", "updated": "2025-10-30T14:38:33.808849+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}