CVE-2025-11587

low-risk

Published 2025-10-29

The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

References (3)

https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/...

https://research.cleantalk.org/cve-2025-11587/

https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-945...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal