Vulnerabilities and security researches forcall-now-button call-now-button

Jun 06, 2024

CVE, Research URL: CVE-2022-1455
Home page URL: Security reports for Call Now Button – The #1 Click to Call Button for WordPress
Application: Call Now Button – The #1 Click to Call Button for WordPress
Date: May 16, 2022
Research Description: The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled
Affected versions: max 1.1.2.
Status: vulnerable

CVE, Research URL: CVE-2024-2908
Home page URL: Security reports for Call Now Button – The #1 Click to Call Button for WordPress
Application: Call Now Button – The #1 Click to Call Button for WordPress
Date: Apr 26, 2024
Research Description: The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 1.4.7.
Status: vulnerable

Jul 24, 2024

PSC, Research URL: PSC-2024-25378
Home page URL: Security reports for Call Now Button – The #1 Click to Call Button for WordPress
Application: Call Now Button – The #1 Click to Call Button for WordPress
Date: Aug 05, 2025
Research Description: The Call Now Button plugin simplifies communication for mobile users by adding a convenient click-to-call button at the bottom of the screen. With a single touch, visitors can initiate a call, eliminating the need for manual dialing or navigating to the contact page. In addition to its primary function, the plugin offers enhanced security features, including robust protection against potential vulnerabilities, validated through the Plugin Security Certification (PSC) from CleanTalk.
Affected versions: Min 1.4.7, max 1.4.10.
Status: SAFE & CERTIFIED

Jan 25, 2025

CVE, Research URL: CVE-2025-24738
Home page URL: Security reports for Call Now Button – The #1 Click to Call Button for WordPress
Application: Call Now Button – The #1 Click to Call Button for WordPress
Date: Jan 24, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in NowButtons.com Call Now Button allows Cross Site Request Forgery. This issue affects Call Now Button: from n/a through 1.4.13.
Affected versions: max 1.4.14.
Status: vulnerable

Nov 11, 2025

CVE, Research URL: CVE-2025-11632
Home page URL: Security reports for Call Now Button – The #1 Click to Call Button for WordPress
Application: Call Now Button – The #1 Click to Call Button for WordPress
Date: Oct 29, 2025
Research Description: The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5
Affected versions: max 1.5.5.
Status: vulnerable

CVE, Research URL: CVE-2025-11587
Home page URL: Security reports for Call Now Button – The #1 Click to Call Button for WordPress
Application: Call Now Button – The #1 Click to Call Button for WordPress
Date: Oct 29, 2025
Research Description: The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.
Affected versions: max 1.5.4.
Status: vulnerable