CVE-2025-11632 is a missing authorization vulnerability (CWE-862) in the WordPress plugin 'Call Now Button – The #1 Click to Call Button' developed by jgrietveld. This plugin enables click-to-call functionality on WordPress sites. The vulnerability exists because multiple functions lack proper capability checks, allowing authenticated users with Subscriber-level privileges or higher to bypass intended access controls. Exploitable functions include those that generate links to the billing portal, enabling attackers to view and modify billing information associated with the connected account, generate chat session tokens, and view domain status. The issue affects all plugin versions up to and including 1.5.4. A partial fix was introduced in version 1.5.4, but a complete fix was only implemented in version 1.5.5. The vulnerability requires the attacker to have at least Subscriber-level authenticated access, which is a low privilege level in WordPress, making exploitation feasible in many scenarios where user registration is open or compromised accounts exist. The CVSS v3.1 base score is 4.3, indicating a medium severity primarily due to the confidentiality impact and ease of exploitation without user interaction. No integrity or availability impacts are noted. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a potential target for attackers seeking to escalate privileges or access sensitive billing data.

The primary impact of CVE-2025-11632 is unauthorized access to sensitive billing information and related account data through the vulnerable WordPress plugin. Attackers with Subscriber-level access can view and modify billing details, generate chat session tokens, and access domain status information, potentially leading to financial fraud, privacy violations, and unauthorized account manipulation. Although the vulnerability does not directly affect system integrity or availability, the exposure of billing and account data can facilitate further attacks such as social engineering, phishing, or lateral movement within an organization’s infrastructure. Organizations relying on this plugin for customer interaction or billing management are at risk of data leakage and reputational damage. Since the vulnerability requires authenticated access, the risk is heightened in environments where user registration is open or where accounts have been compromised. The medium CVSS score reflects the moderate impact, but the widespread use of WordPress and the plugin increases the potential attack surface globally.

1. Immediate upgrade to version 1.5.5 or later of the 'Call Now Button – The #1 Click to Call Button' plugin to ensure the full authorization checks are in place. 2. Review and restrict user registration policies to limit Subscriber-level access to trusted users only. 3. Implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. 4. Audit existing user accounts for suspicious activity or unauthorized access, especially those with Subscriber or higher privileges. 5. Monitor web server and application logs for unusual access patterns related to billing portal URLs or chat session token generation. 6. Consider additional WordPress security hardening measures, including role-based access control plugins that enforce stricter capability checks. 7. Educate site administrators and users about the risks of unauthorized access and encourage prompt application of security updates. 8. If upgrading immediately is not possible, temporarily disable or restrict access to the vulnerable plugin’s features via web application firewall (WAF) rules or plugin configuration.