CVE-2025-11632: CWE-862 Missing Authorization in jgrietveld Call Now Button – The #1 Click to Call Button for WordPress
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5
AI Analysis
Technical Summary
CVE-2025-11632 is a missing authorization vulnerability (CWE-862) in the Call Now Button – The #1 Click to Call Button for WordPress plugin. The flaw exists due to lack of proper capability checks on multiple functions, allowing authenticated users with low privileges (Subscriber-level and above) to generate links to sensitive billing portal features and access or modify billing information, generate chat session tokens, and view domain status. The vulnerability affects all versions up to and including 1.5.4. Partial remediation was implemented in version 1.5.4, with a complete fix in version 1.5.5.
Potential Impact
Authenticated attackers with Subscriber-level privileges or higher can exploit this vulnerability to access and modify billing information, generate chat session tokens, and view domain status without proper authorization. This could lead to unauthorized disclosure and modification of sensitive account-related data. The vulnerability does not impact confidentiality beyond billing data, nor does it affect system availability or integrity beyond the described scope.
Mitigation Recommendations
Users should upgrade the Call Now Button plugin to version 1.5.5 or later, where the vulnerability is fully fixed. Versions prior to 1.5.5, including 1.5.4, are vulnerable or only partially mitigated. No other mitigations are indicated by the vendor advisory. Patch status is confirmed fixed in 1.5.5.
CVE-2025-11632: CWE-862 Missing Authorization in jgrietveld Call Now Button – The #1 Click to Call Button for WordPress
Description
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-11632 is a missing authorization vulnerability (CWE-862) in the Call Now Button – The #1 Click to Call Button for WordPress plugin. The flaw exists due to lack of proper capability checks on multiple functions, allowing authenticated users with low privileges (Subscriber-level and above) to generate links to sensitive billing portal features and access or modify billing information, generate chat session tokens, and view domain status. The vulnerability affects all versions up to and including 1.5.4. Partial remediation was implemented in version 1.5.4, with a complete fix in version 1.5.5.
Potential Impact
Authenticated attackers with Subscriber-level privileges or higher can exploit this vulnerability to access and modify billing information, generate chat session tokens, and view domain status without proper authorization. This could lead to unauthorized disclosure and modification of sensitive account-related data. The vulnerability does not impact confidentiality beyond billing data, nor does it affect system availability or integrity beyond the described scope.
Mitigation Recommendations
Users should upgrade the Call Now Button plugin to version 1.5.5 or later, where the vulnerability is fully fixed. Versions prior to 1.5.5, including 1.5.4, are vulnerable or only partially mitigated. No other mitigations are indicated by the vendor advisory. Patch status is confirmed fixed in 1.5.5.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-11T16:14:29.901Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69020d512a3e20b1cb02a675
Added to database: 10/29/2025, 12:49:21 PM
Last enriched: 4/9/2026, 3:55:12 PM
Last updated: 5/10/2026, 4:18:31 AM
Views: 176
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.