CVE-2025-11632

Name of the Vulnerable Software and Affected Versions Call Now Button versions prior to 1.5.5

Description The Call Now Button plugin for WordPress is susceptible to unauthorized data access because of a missing capability check in multiple functions. Attackers with Subscriber-level access or higher can generate links to a billing portal, allowing them to view and modify billing information, generate chat session tokens, and view domain status. The issue was partially addressed in version 1.5.4 and fully resolved in version 1.5.5. The vulnerable functions lack proper authorization controls, potentially exposing sensitive data.

Recommendations Update Call Now Button to version 1.5.5 or later.