CVE-2025-11632 – This vulnerability in the Call Now Button WordP... (How to Fix)

Q: What is the severity of CVE-2025-11632?

CVE-2025-11632 has a CVSS score of 4.3 (MEDIUM). This vulnerability in the Call Now Button WordPress plugin allows authenticated attackers with Subscriber-level access or higher to access and modify billing information, generate chat session tokens, and view domain status without proper authorization. The issue affects all versions up to and including 1.5.4 due to missing capability checks on multiple admin functions. WordPress sites using the vulnerable plugin are affected.

📋 TL;DR

This vulnerability in the Call Now Button WordPress plugin allows authenticated attackers with Subscriber-level access or higher to access and modify billing information, generate chat session tokens, and view domain status without proper authorization. The issue affects all versions up to and including 1.5.4 due to missing capability checks on multiple admin functions. WordPress sites using the vulnerable plugin are affected.

💻 Affected Systems

Products:

Call Now Button – The #1 Click to Call Button for WordPress

Versions: All versions up to and including 1.5.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin and at least one authenticated user with Subscriber role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify billing information, generate unauthorized chat sessions, potentially leading to financial fraud, service disruption, or unauthorized access to sensitive account data.

🟠

Likely Case

Subscriber-level users accessing and viewing billing information they shouldn't have access to, potentially leading to information disclosure and minor account manipulation.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to attempted unauthorized access that can be detected and blocked.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access but only Subscriber-level privileges, which are commonly granted to users. Exploitation involves calling specific AJAX endpoints without proper authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.5

Vendor Advisory: https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.5

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Call Now Button' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.5.5 from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Call Now Button plugin until patched

Restrict user roles

all

Limit Subscriber-level user creation and review existing Subscriber accounts

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual Subscriber-level activity
Consider using web application firewall rules to block suspicious AJAX requests to the vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Call Now Button version. If version is 1.5.4 or lower, you are vulnerable.

Check Version:

wp plugin list --name='call-now-button' --field=version (if WP-CLI is available)

Verify Fix Applied:

After updating, verify plugin version shows 1.5.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual AJAX requests from Subscriber-level users to /wp-admin/admin-ajax.php with action parameters related to billing, chat tokens, or domain status

Network Indicators:

HTTP POST requests to admin-ajax.php with unexpected parameters from non-admin users

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND ("action=cnb" OR "action=cnb_"*) AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2025-11632

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.05% exploit probability (14.4th percentile)

Published: October 29, 2025

Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11632, you might also want to check these: