CVE-2025-11587

Name of the Vulnerable Software and Affected Versions The Call Now Button – The #1 Click to Call Button for WordPress plugin versions prior to 1.5.4

Description The plugin is susceptible to unauthorized data modification because of a missing capability check within the activate function. This allows authenticated attackers with Subscriber-level access or higher to associate the plugin with a nowbuttons.com account and introduce malicious buttons to the website. The issue is exploitable only on new installations where the plugin hasn't been configured with an API key.

Recommendations Update to version 1.5.4 or later.