The vulnerability identified as CVE-2025-11587 affects the 'Call Now Button – The #1 Click to Call Button for WordPress' plugin. It is caused by a missing capability check in the activate function, allowing authenticated users with low privileges (Subscriber-level and above) to modify plugin settings by linking the plugin to an attacker-controlled nowbuttons.com account. This can result in unauthorized addition of malicious call buttons on the affected WordPress site. The flaw is exploitable only on fresh plugin installations that have not been previously configured with an API key. The CVSS v3.1 base score is 4.3, indicating medium severity, with the vector showing network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, and low integrity impact.

The vulnerability allows authenticated users with Subscriber-level access or higher to perform unauthorized modifications to the plugin configuration, specifically linking it to an attacker-controlled account and injecting malicious call buttons. This could lead to integrity issues on the affected site, such as displaying unauthorized or malicious content. There is no direct impact on confidentiality or availability reported. The exploit is limited to fresh installs without prior API key configuration, reducing the attack surface.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting Subscriber-level access or higher to trusted users only and ensure the plugin is configured with a valid API key immediately after installation to prevent exploitation. Monitoring plugin configurations for unauthorized changes is also advisable.