Description
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc.
This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5
Published: 2025-10-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Billing and Sensitive Data
Action: Immediate Patch
AI Analysis

Impact

The Call Now Button plugin for WordPress contains a missing capability check identified as CWE‑862, allowing an authenticated user with a Subscriber role or higher to bypass authorization. This flaw permits the attacker to generate links to the billing portal, view and modify billing information, export chat session tokens, and inspect domain status. The possibility to alter financial data and the exposure of sensitive account details elevate the confidentiality and integrity risks associated with this vulnerability.

Affected Systems

All releases of the Call Now Button – The #1 Click to Call Button for WordPress plugin up to and including version 1.5.4 are affected. The plugin runs within a WordPress site and any logged‑in user who holds a Subscriber or higher capability can potentially exercise the unauthorized functions exposed by the missing checks.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as moderate severity, while the EPSS score of < 1 % indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread active attacks yet. The likely attack vector involves an authenticated user crafting requests to the plugin’s administrative AJAX endpoints to trigger the privileged actions, inference based on the provided code references.

Generated by OpenCVE AI on April 22, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Call Now Button plugin to version 1.5.5 or later, which fully implements required capability checks.
  • If an upgrade is not immediately possible, consider disabling the plugin’s administrative AJAX endpoints or removing the plugin entirely from the site to prevent unauthorized access.
  • Restrict the Subscriber role or eliminate unnecessary subscriber accounts to limit the number of users who could exploit the vulnerability.

Generated by OpenCVE AI on April 22, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Jgrietveld
Jgrietveld call Now Button
Wordpress
Wordpress wordpress
Vendors & Products Jgrietveld
Jgrietveld call Now Button
Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 12:45:00 +0000

Type Values Removed Values Added
Description The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5
Title Call Now Button <= 1.5.4 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Jgrietveld Call Now Button
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:23.931Z

Reserved: 2025-10-11T16:14:29.901Z

Link: CVE-2025-11632

cve-icon Vulnrichment

Updated: 2025-10-29T13:24:34.138Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T13:15:35.323

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses