{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11587", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-10T12:10:27.428Z", "datePublished": "2025-10-29T12:31:51.684Z", "dateUpdated": "2026-04-08T17:26:36.379Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:36.379Z"}, "affected": [{"vendor": "jgrietveld", "product": "Call Now Button \u2013 The #1 Click to Call Button for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Call Now Button \u2013 The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key."}], "title": "Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/api-key/class-ott-controller.php#L27"}, {"url": "https://research.cleantalk.org/cve-2025-11587/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-09-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-10T21:23:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-28T23:59:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T17:20:06.510426Z", "id": "CVE-2025-11587", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T17:20:17.935Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11587", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T17:20:06.510426Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T13:19:17.113Z"}}], "cna": {"title": "Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "jgrietveld", "product": "Call Now Button \u2013 The #1 Click to Call Button for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-10T21:23:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-28T23:59:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/api-key/class-ott-controller.php#L27"}, {"url": "https://research.cleantalk.org/cve-2025-11587/"}], "descriptions": [{"lang": "en", "value": "The Call Now Button \u2013 The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:36.379Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11587", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:36.379Z", "dateReserved": "2025-10-10T12:10:27.428Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-29T12:31:51.684Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Call Now Button \u2013 The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key."}], "id": "CVE-2025-11587", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-29T13:15:34.350", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/api-key/class-ott-controller.php#L27"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-11587/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:44:39.220026+00:00", "value": {"mitigation_remediation": ["Upgrade the Call Now Button plugin to the latest available version, which implements the missing capability check in the activate routine.", "If a upgrade cannot be performed immediately, disable the plugin until a patched version is deployed to prevent accidental configuration via an attacker\u2019s account.", "Verify the plugin\u2019s API key settings and remove any unfamiliar or unauthorized button configurations that may have been added."], "summary": {"action": "Patch Update", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected plugin is the WordPress plugin Call Now Button \u2013 The #1 Click to Call Button for WordPress, versions 1.5.3 and earlier. No other vendors or products are cited.", "description_and_impact": "The Call Now Button \u2013 The #1 Click to Call Button for WordPress plugin contains a missing capability check in its activate function for all versions up to 1.5.3. This flaw allows an attacker who has authenticated access with Subscriber-level permissions or higher to activate the plugin and link it to an attacker\u2011controlled nowbuttons.com account. Once linked, the attacker can add malicious buttons to the site. The vulnerability only applies to fresh installs where the plugin has not yet been configured with an API key, so already configured sites are not affected at the time of discovery.", "risk_and_exploitability": "The CVSS score of 4.3 classifies this as a moderate impact. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must be authenticated with at least Subscriber permissions, implying exploitation from a valid user account on the target site. Since the flaw only triggers on fresh installations, the attack surface is limited to newly\u2011installed, unconfigured instances of the plugin."}}}}, "created": "2025-10-30T14:38:33.808824+00:00", "updated": "2026-04-21T18:45:06.086875+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}