CVE-2025-11587 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'Call Now Button – The #1 Click to Call Button' developed by jgrietveld. The flaw exists in all versions up to and including 1.5.3, where the plugin's activate function lacks proper capability checks. This missing authorization allows any authenticated user with Subscriber-level permissions or higher to link the plugin to their own nowbuttons.com account on fresh plugin installations that have not yet been configured with an API key. By doing so, the attacker can add malicious call buttons to the affected WordPress site, potentially misleading visitors or redirecting calls. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium), reflecting low complexity and privileges required but limited impact confined to integrity without affecting confidentiality or availability. No public exploits have been reported yet. The vulnerability primarily threatens sites that use this plugin on new WordPress deployments before initial configuration, making it a narrow but significant risk vector. Since the plugin is popular for click-to-call functionality, exploitation could lead to unauthorized content injection and reputational damage.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of their WordPress websites using the affected plugin. Attackers with low-level authenticated access (Subscriber or above) can insert malicious call buttons, potentially redirecting users to fraudulent numbers or services, which could lead to reputational harm, customer trust erosion, and indirect financial losses. While the vulnerability does not expose sensitive data or cause denial of service, the unauthorized modification of site content can facilitate social engineering or fraud campaigns. Organizations with public-facing WordPress sites that rely on this plugin, especially those in sectors like e-commerce, customer service, or telecommunications, may face increased risk. The exploitability on fresh installs means new deployments or sites undergoing plugin reinstallation are particularly vulnerable. Given the medium CVSS score and absence of known exploits, the immediate threat is moderate but should not be underestimated, especially in environments where subscriber accounts are widely granted or where plugin configuration is delayed.

To mitigate this vulnerability, European organizations should: 1) Immediately update the 'Call Now Button' plugin to a patched version once available; if no patch exists yet, consider temporarily disabling or uninstalling the plugin on new WordPress installs until fixed. 2) Restrict Subscriber-level user permissions to the minimum necessary and audit user roles to prevent unnecessary plugin activation capabilities. 3) Implement strict access controls and monitoring on WordPress admin accounts, especially on sites with multiple low-privilege users. 4) During initial plugin setup, ensure that the API key is configured promptly to close the window of exploitability. 5) Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to link the plugin to unauthorized accounts. 6) Conduct regular security audits and vulnerability scans focusing on WordPress plugins and their configurations. 7) Educate site administrators about the risks of unauthorized plugin activation and the importance of timely configuration. These steps go beyond generic advice by focusing on the specific conditions that enable exploitation and emphasizing proactive configuration and access management.