Description
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.
Published: 2025-10-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Update
AI Analysis

Impact

The Call Now Button – The #1 Click to Call Button for WordPress plugin contains a missing capability check in its activate function for all versions up to 1.5.3. This flaw allows an attacker who has authenticated access with Subscriber-level permissions or higher to activate the plugin and link it to an attacker‑controlled nowbuttons.com account. Once linked, the attacker can add malicious buttons to the site. The vulnerability only applies to fresh installs where the plugin has not yet been configured with an API key, so already configured sites are not affected at the time of discovery.

Affected Systems

The affected plugin is the WordPress plugin Call Now Button – The #1 Click to Call Button for WordPress, versions 1.5.3 and earlier. No other vendors or products are cited.

Risk and Exploitability

The CVSS score of 4.3 classifies this as a moderate impact. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated with at least Subscriber permissions, implying exploitation from a valid user account on the target site. Since the flaw only triggers on fresh installations, the attack surface is limited to newly‑installed, unconfigured instances of the plugin.

Generated by OpenCVE AI on April 21, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Call Now Button plugin to the latest available version, which implements the missing capability check in the activate routine.
  • If a upgrade cannot be performed immediately, disable the plugin until a patched version is deployed to prevent accidental configuration via an attacker’s account.
  • Verify the plugin’s API key settings and remove any unfamiliar or unauthorized button configurations that may have been added.

Generated by OpenCVE AI on April 21, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 19 Dec 2025 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 12:45:00 +0000

Type Values Removed Values Added
Description The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.
Title Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:36.379Z

Reserved: 2025-10-10T12:10:27.428Z

Link: CVE-2025-11587

cve-icon Vulnrichment

Updated: 2025-10-29T13:19:17.113Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T13:15:34.350

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses