CVE-2025-11587 is a vulnerability classified under CWE-862 (Missing Authorization) affecting all versions up to and including 1.5.3 of the 'Call Now Button – The #1 Click to Call Button' WordPress plugin developed by jgrietveld. The root cause is the absence of a capability check in the plugin's activate function, which is responsible for linking the plugin to an external nowbuttons.com account. This missing authorization allows any authenticated user with at least Subscriber-level privileges to activate the plugin and associate it with their own account. Consequently, the attacker can add malicious call buttons to the WordPress site, potentially misleading visitors or redirecting calls to attacker-controlled numbers. The vulnerability is exploitable only on fresh plugin installations that have not been previously configured with an API key, limiting the attack surface to new or reset deployments. The CVSS v3.1 score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity without affecting confidentiality or availability. No patches or fixes have been published yet, and no active exploitation has been reported. The vulnerability highlights the importance of proper authorization checks in plugin activation workflows, especially for plugins interfacing with external services.

The primary impact of CVE-2025-11587 is unauthorized modification of site content through the injection of malicious call buttons. This can undermine the integrity of the affected WordPress site by displaying attacker-controlled phone numbers, potentially leading to social engineering, fraud, or reputational damage. While confidentiality and availability are not directly affected, the presence of malicious buttons can erode user trust and may facilitate further attacks such as phishing or scams. Organizations with open user registration or low-privilege user roles are at higher risk, as attackers only need Subscriber-level access to exploit the vulnerability. The limitation to fresh installs reduces the scope somewhat but does not eliminate risk for new deployments or sites that reset plugin configurations. Given the popularity of WordPress and the plugin’s niche, small to medium businesses relying on click-to-call functionality could be disproportionately impacted. The lack of known exploits in the wild suggests limited current threat activity, but the vulnerability could be leveraged in targeted attacks or automated campaigns once weaponized.

To mitigate CVE-2025-11587, site administrators should immediately restrict plugin activation capabilities to trusted administrator roles, preventing Subscribers or other low-privilege users from activating or configuring the plugin. Disable or remove the plugin on sites where it is not essential, especially on fresh installs. Monitor WordPress sites for unexpected or unauthorized call buttons linking to unknown accounts on nowbuttons.com. Implement strict user role management and limit user registrations to trusted individuals to reduce the risk of exploitation. Since no official patch is currently available, consider applying custom code to enforce capability checks on the activate function or temporarily block plugin activation via hooks or filters. Stay alert for vendor updates or security advisories providing patches and apply them promptly. Additionally, conduct regular security audits and vulnerability scans focusing on plugin configurations and user permissions to detect potential misuse early.