Call Now Button is a popular WordPress plugin (200k+ installs) that adds a call/chat overlay to a website and can be managed locally or via the vendor’s cloud. During testing, we identified CVE-2025-11587, a critical CSRF / Missing Authorization vulnerability that allows an attacker to force-bind a victim site to an attacker-controlled Call Now Button (CNB) cloud account. The flaw is caused by an unprotected admin-post activation endpoint that accepts a one-time token (OTT) from the request and stores it directly into the plugin’s persistent options, enabling cloud management without verifying the user’s capabilities and without verifying any nonce. The result is an arbitrary plugin configuration update that grants the attacker remote control over the on-site overlay and funnels user interactions into the attacker’s cloud project.
| CVE | CVE-2025-11587 |
| Plugin Version | Call Now Button <= 1.5.3 |
| Critical | High |
| All Time | 6 620 388 |
| Active installations | 200 000+ |
| Publicly Published | October 28, 2025 |
| Last Updated | October 29, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11587 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/call-now-button/call-now-button-153-missing-authorization-to-authenticated-subscriber-limited-plugin-settings-update |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 26, 2025 | Plugin testing and vulnerability detection in the Call Now Button – The #1 Click to Call Button for WordPress have been completed |
| September 26, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 28, 2025 | Registered CVE-2025-11587 |
Discovery of the Vulnerability
The vulnerable endpoint is registered as:/wp-admin/admin-post.php?action=cnb_apikey_activate
It is implemented in src/admin/api-key/class-ott-controller.php::activate() and invoked via the admin-posthandler in src/CallNowButton.php. The handler reads api_key or api_key_ott from the GET query using filter_input(...) and then immediately mutates configuration using update_option('cnb', $options)—including setting cloud_enabled and storing the provided token/key. Critically, this code path does not call current_user_can(...) and does not perform check_admin_referer() / wp_verify_nonce() validation. This violates the expected security order for state-changing admin endpoints (“capability → nonce → validate input → side effects”) and enables both low-privilege abuse and CSRF.
Understanding of CSRF attack’s
WordPress relies on capability checks (e.g., current_user_can('manage_options')) to prevent low-privilege users from changing global configuration, and on nonces (check_admin_referer) to prevent CSRF. Admin-post endpoints are frequently abused when developers omit either check, because they run in an “admin” context while still being reachable by any logged-in user—or even by unauthenticated visitors in some configurations. Similar patterns have appeared across themes and plugins where “helper” endpoints were left open, enabling silent settings manipulation, forced activation of features, or unwanted third-party integrations. In this case, the missing authorization is particularly dangerous because it binds the site to an attacker’s external cloud account, granting ongoing remote control beyond WordPress itself.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-11587, an attacker without cookies:
POC:
1) In your own CNB cloud account, create an OTT (one-time token) and ensure you can create a button there. 2) On the target WordPress site, sign in with a subscriber user (minimum privileges) or prepare a CSRF page for a logged-in victim. 3) Send this single GET request (no nonce, no capability required): /wp-admin/admin-post.php?action=cnb_apikey_activate&api_key_ott=cnbott_d467d13d_f490_47d7_8e2a_{your_key} (you can create it in your own localhost Wordress via request inside plugin. When you obtain a key dont push it inside you localhost plugin) (If the site is installed under a subdir, prefix accordingly, e.g., /wordpress/wp-admin/....) 4) Verify the site is now connected to your CNB cloud account and the button is immediately enabled; in the database, option_name='cnb' shows {"cloud_enabled":1,"api_key":"<attacker key/ott binding>"}. CSRF variant: the same URL can be triggered by a logged-in victim simply loading an <img src> pointing at that endpoint.____
This vulnerability enables a highly practical takeover of the plugin’s user-facing behavior without requiring admin access. Once the attacker binds the site to their CNB cloud account, they can:
- Enable/disable the call widget site-wide.
- Replace phone numbers or destinations to redirect users to attacker-controlled contact channels.
- Inject misleading UI elements (“Support”, “Billing”, “Security”) for phishing/social engineering.
- Collect interaction metadata (clicks, messages, user timing) within the attacker’s cloud project.
- Maintain persistence: even if WordPress credentials are rotated, cloud control can remain until the binding is discovered and removed.
For businesses that rely on call/chat widgets for customer support or lead generation, this can cause revenue loss, reputational damage, and user trust erosion immediately.
Recommendations for Improved Security
This vulnerability enables a highly practical takeover of the plugin’s user-facing behavior without requiring admin access. Once the attacker binds the site to their CNB cloud account, they can:
- Enable/disable the call widget site-wide.
- Replace phone numbers or destinations to redirect users to attacker-controlled contact channels.
- Inject misleading UI elements (“Support”, “Billing”, “Security”) for phishing/social engineering.
- Collect interaction metadata (clicks, messages, user timing) within the attacker’s cloud project.
- Maintain persistence: even if WordPress credentials are rotated, cloud control can remain until the binding is discovered and removed.
For businesses that rely on call/chat widgets for customer support or lead generation, this can cause revenue loss, reputational damage, and user trust erosion immediately.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-11587WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.