CVE-2025-24738

Name of the Vulnerable Software and Affected Versions Call Now Button versions 1.4.13 and earlier

Description A Cross-Site Request Forgery (CSRF) issue affects the Call Now Button, allowing unauthorized requests. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. The vulnerability can be exploited through API Endpoints such as the Call Now Button's backend, by manipulating the request variable. Technical details about exploitation include the use of vulnerable function names like processRequest().

Recommendations For Call Now Button versions 1.4.13 and earlier, update to a version later than 1.4.13 to resolve the issue. As a temporary workaround, consider disabling the processRequest() function until a patch is available. Restrict access to the Call Now Button's backend to minimize the risk of exploitation. Avoid using the request variable in the affected API endpoint until the issue is resolved.