CVE-2025-24738 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Jerry Rietveld Call Now Button plugin, affecting all versions up to and including 1.4.13. CSRF vulnerabilities occur when a web application does not adequately verify that requests to perform state-changing actions originate from legitimate users or trusted sources. In this case, the Call Now Button plugin fails to implement proper anti-CSRF tokens or origin checks, allowing attackers to craft malicious web pages that, when visited by authenticated users, cause unintended actions such as modifying plugin settings or triggering calls. The vulnerability is significant because it leverages the victim's authenticated session, bypassing normal authorization controls. Although no exploits have been reported in the wild, the flaw is publicly disclosed and could be weaponized by attackers targeting websites that use this plugin. The vulnerability affects a widely used WordPress plugin, which is common in small to medium business websites for enabling quick call functionality. The absence of a CVSS score requires an independent severity assessment, considering the ease of exploitation (no complex technical skill required), the need for user authentication, and the potential impact on website functionality and user trust. The vulnerability does not affect confidentiality directly but can impact integrity and availability if exploited to alter plugin behavior or disrupt services. The lack of patch links suggests that users must monitor vendor updates or apply manual mitigations.

The primary impact of this CSRF vulnerability is unauthorized modification or triggering of actions within the Call Now Button plugin by attackers exploiting authenticated users. This can lead to unauthorized changes in plugin configuration, potentially disrupting communication channels or causing reputational damage if malicious calls are initiated. For organizations, this can result in loss of customer trust, operational disruptions, and potential financial loss if call routing or contact mechanisms are manipulated. Since the vulnerability requires an authenticated session, the scope is limited to users with sufficient privileges, but many WordPress sites have multiple users with varying roles, increasing risk. The vulnerability does not directly expose sensitive data but compromises the integrity and availability of plugin functionality. Attackers could use this as a foothold for further attacks or social engineering. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as public disclosure may encourage attackers to develop exploits. Organizations worldwide using this plugin, especially in sectors relying on customer contact via calls, are at risk of service disruption and trust erosion.

To mitigate CVE-2025-24738, organizations should first check for updates or patches from the Jerry Rietveld plugin developer and apply them promptly once available. In the absence of official patches, administrators can implement manual mitigations such as adding Web Application Firewall (WAF) rules to detect and block suspicious cross-site requests targeting the plugin endpoints. Enforcing strict SameSite cookie attributes can reduce CSRF risks by limiting cookie transmission in cross-origin requests. Additionally, administrators should review user roles and permissions to minimize the number of users with privileges to perform sensitive actions via the plugin. Employing Content Security Policy (CSP) headers to restrict the domains allowed to execute scripts can also help reduce attack surface. Monitoring web server logs for unusual POST requests to plugin URLs can aid in early detection of exploitation attempts. Finally, educating users about the risks of visiting untrusted websites while authenticated can reduce the likelihood of successful CSRF attacks.