CVE-2025-11587 is a vulnerability classified under CWE-862 (Missing Authorization) affecting all versions up to and including 1.5.3 of the 'Call Now Button – The #1 Click to Call Button' WordPress plugin developed by jgrietveld. The root cause is the absence of a capability check in the plugin's activation function, which is responsible for linking the plugin to an external nowbuttons.com account via an API key. Because of this missing authorization, any authenticated user with at least Subscriber-level privileges can exploit the vulnerability on fresh plugin installations that have not been configured with an API key. Such an attacker can link the plugin to their own account and add malicious call buttons to the WordPress site, potentially misleading site visitors or redirecting calls to attacker-controlled numbers. The vulnerability is remotely exploitable without user interaction and does not require elevated privileges beyond Subscriber-level access, which is a low privilege role in WordPress. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but a clear integrity impact due to unauthorized modification of plugin data. No patches or fixes are currently linked, and no known exploits are reported in the wild. The vulnerability is particularly relevant for sites that have recently installed the plugin and have not yet completed initial configuration steps.

For European organizations, the primary impact is the unauthorized modification of website content via malicious call buttons, which can lead to reputational damage, user deception, and potential fraud if visitors are redirected to attacker-controlled phone numbers. While the vulnerability does not directly compromise sensitive data confidentiality or site availability, the integrity of the website's user interface and trustworthiness is at risk. Organizations relying on WordPress sites with this plugin, especially those with multiple users having Subscriber-level access (e.g., content contributors), are vulnerable. Attackers could exploit this to conduct social engineering or phishing campaigns via the website. The risk is heightened for fresh plugin installations that have not been configured, which may be common in newly deployed or recently updated sites. Given the medium severity and ease of exploitation by low-privilege users, the vulnerability could be leveraged as a foothold for further attacks or to damage brand reputation.

European organizations should immediately verify whether the 'Call Now Button – The #1 Click to Call Button' plugin is installed on their WordPress sites and identify the version in use. For fresh installs, the plugin should be configured with a valid API key as soon as possible to prevent exploitation. If the plugin is not essential, consider uninstalling it to eliminate risk. Site administrators should audit user roles and restrict Subscriber-level access to trusted users only. Implement monitoring to detect unauthorized changes to plugin settings or unexpected call button additions. Since no patch is currently available, applying strict access controls and completing initial plugin configuration are critical. Additionally, organizations should keep abreast of updates from the plugin vendor or WordPress security advisories for forthcoming patches. Employing a Web Application Firewall (WAF) with rules to detect anomalous plugin activation requests could provide temporary protection. Finally, educating content contributors about the risk and signs of malicious buttons can aid early detection.