CVE-2025-24738
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the NowButtons.com Call Now Button WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects WordPress sites using the Call Now Button plugin versions up to 1.4.13. Attackers could modify plugin settings without the administrator's knowledge.
💻 Affected Systems
- NowButtons.com Call Now Button WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could change the plugin's call button settings to redirect users to malicious sites, modify phone numbers to premium-rate numbers, or disable security features.
Likely Case
Attackers modify the call button configuration to redirect users or change displayed phone numbers, potentially leading to social engineering attacks or financial scams.
If Mitigated
With proper CSRF protections, administrators would be prompted for confirmation before any changes are made, preventing unauthorized modifications.
🎯 Exploit Status
CSRF attacks are well-understood and easy to implement. Exploitation requires tricking an authenticated administrator into visiting a malicious page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.14 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Call Now Button' and click 'Update Now'. 4. Verify version is 1.4.14 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate call-now-button
CSRF Protection Middleware
allImplement additional CSRF protection at web server or application level
🧯 If You Can't Patch
- Restrict administrator access to trusted networks only
- Implement strict Content Security Policy (CSP) headers to prevent malicious script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Call Now Button version. If version is 1.4.13 or lower, you are vulnerable.Check Version:
wp plugin get call-now-button --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.4.14 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unexpected plugin setting changes in WordPress logs
- Multiple failed CSRF token validations
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php without proper referrer headers
- Suspicious cross-origin requests to plugin endpoints
SIEM Query:
source="wordpress.log" AND "call-now-button" AND ("updated" OR "changed")