CVE-2025-11587
BaseFortify
Publication date: 2025-10-29
Last updated on: 2025-10-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | call_now_button | 1.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Call Now Button WordPress plugin (up to version 1.5.3) where there is a missing capability check in the activate function. This allows authenticated users with Subscriber-level access or higher to link the plugin to their own nowbuttons.com account and add malicious buttons to the site. It only affects fresh installs where the plugin has not been configured with an API key.
How can this vulnerability impact me? :
An attacker with Subscriber-level access can exploit this vulnerability to add malicious buttons to your WordPress site via the Call Now Button plugin. This could lead to unauthorized modifications on your site, potentially misleading users or causing other security issues.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Call Now Button plugin to a version later than 1.5.3 where the issue is fixed. If updating is not possible, restrict Subscriber-level access and above from activating or configuring the plugin until a patch is applied. Additionally, verify that the plugin has been configured with an API key to prevent exploitation on fresh installs.