CVE-2025-11587
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to link the vulnerable plugin to external nowbuttons.com accounts and add malicious buttons to the site. It affects fresh installations of the Call Now Button plugin where no API key has been previously configured. The missing capability check enables unauthorized data modification.
💻 Affected Systems
- Call Now Button – The #1 Click to Call Button for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript buttons that redirect users to phishing sites, steal credentials, or perform cross-site scripting attacks on all site visitors.
Likely Case
Low-privileged users could add spammy or unwanted call buttons that degrade user experience and potentially harm site reputation.
If Mitigated
If the plugin was previously configured with an API key, the vulnerability cannot be exploited, limiting impact to new installations only.
🎯 Exploit Status
Requires authenticated access with at least Subscriber privileges. Exploitation is straightforward once access is obtained on vulnerable configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.5.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.4/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Call Now Button' and click 'Update Now' if available. 4. Alternatively, download version 1.5.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Configure API Key Immediately
allConfigure the plugin with a valid API key from nowbuttons.com to prevent exploitation
Navigate to WordPress admin → Call Now Button → Settings → enter API key
Remove Plugin Until Patched
WordPress CLITemporarily deactivate and remove the vulnerable plugin
wp plugin deactivate call-now-button
wp plugin delete call-now-button
🧯 If You Can't Patch
- Restrict user registration and review existing Subscriber-level accounts for suspicious activity
- Implement web application firewall rules to block requests to the vulnerable activate function
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Call Now Button version. If version is 1.5.3 or earlier and no API key is configured, the system is vulnerable.Check Version:
wp plugin get call-now-button --field=versionVerify Fix Applied:
Verify plugin version is 1.5.4 or later in WordPress admin panel, or check that API key is properly configured in plugin settings.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /wp-admin/admin-ajax.php with action='ott_activate'
- Multiple failed API key configuration attempts from non-admin users
Network Indicators:
- Outbound connections to nowbuttons.com API from WordPress instances with unconfigured Call Now Button plugin
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "ott_activate") AND user_role="subscriber"