Unauthorized Data Modification in Call Now Button for WordPress by WordPress
CVE-2025-11587

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Call Now Button – The #1 Click To Call Button For WordPress
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-11587?

The Call Now Button plugin for WordPress contains a vulnerability that allows authenticated attackers with Subscriber-level access and higher to exploit the absence of a capability check in the activate function. This issue enables these attackers to associate the plugin with their nowbuttons.com account and potentially inject malicious elements into the site. It is important to note that this vulnerability is only applicable to new installations where the plugin has not been set up with a pre-configured API key.

Affected Version(s)

Call Now Button – The #1 Click to Call Button for WordPress * <= 1.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/call-now-butto...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Oct 10, 2025

Credit

Dmitrii Ignatyev

JSON