CVE-2025-11632 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'Call Now Button – The #1 Click to Call Button' developed by jgrietveld. This plugin, widely used to provide click-to-call functionality on WordPress websites, suffers from a missing capability check on multiple functions in all versions up to and including 1.5.4. The flaw allows any authenticated user with at least Subscriber-level privileges to bypass intended authorization controls. Exploiting this vulnerability, an attacker can generate links to the billing portal, enabling them to view and modify billing information associated with the connected account. Additionally, attackers can generate chat session tokens and view domain status information, potentially leading to further unauthorized actions or information disclosure. The vulnerability does not require user interaction beyond authentication and can be exploited remotely with low complexity. The vendor partially addressed the issue in version 1.5.4 and fully remediated it in version 1.5.5. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality, no impact on integrity or availability, and requiring low privileges but no user interaction. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of proper authorization checks in WordPress plugins, especially those handling sensitive billing and session data.

For European organizations, this vulnerability poses a risk primarily to websites using the affected WordPress plugin for click-to-call functionality. Unauthorized access to billing information could lead to financial data exposure or manipulation, potentially violating GDPR requirements for data protection and privacy. The ability to generate chat session tokens and view domain status could facilitate further attacks or unauthorized access to communication channels. While the vulnerability does not directly impact system availability or integrity, the confidentiality breach could damage organizational reputation and customer trust. Organizations relying on this plugin for customer interaction or billing management may face compliance risks and operational disruptions if exploited. The risk is heightened for organizations with multiple users having Subscriber-level access or higher, as these accounts could be leveraged by attackers to escalate privileges or access sensitive data.

European organizations should immediately verify the version of the 'Call Now Button – The #1 Click to Call Button' plugin installed on their WordPress sites and upgrade to version 1.5.5 or later, where the vulnerability is fully fixed. In addition to patching, organizations should audit user roles and permissions to ensure that only trusted users have Subscriber-level or higher access, minimizing the attack surface. Implementing strict access controls and monitoring for unusual activity related to billing portals and chat session token generation is recommended. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the vulnerable plugin endpoints. Regular security assessments and plugin vulnerability scans should be incorporated into routine maintenance. Finally, organizations should review their incident response plans to quickly address any potential exploitation attempts.