cleantalk
Vulnerabilities and Security Researches

Call Now Button – The #1 Click to Call Button for WordPress, CVE-2025-11587

CVE, Research URL

CVE-2025-11587

Home page URL

Security reports for Call Now Button – The #1 Click to Call Button for WordPress

Application

Call Now Button – The #1 Click to Call Button for WordPress

Published on
Oct 29, 2025
Research Description
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.
Affected versions
max 1.5.4.
Status
vulnerable
Previous vulnerability researches
CropRefine (CVE-2025-52734) , Nov 10, 2025
New vulnerability
TempTool [Show Current Template Info] (CVE-2025-62955) , Nov 11, 2025
Clearblue® Ovulation Calculator (CVE-2025-60196) , Nov 11, 2025
Visual Link Preview (CVE-2025-11987) , Nov 11, 2025
Simple Tableau Viz (CVE-2025-11817) , Nov 11, 2025
Ultra Addons Lite for Elementor (CVE-2023-53589) , Nov 11, 2025