CVE-2025-11587

The Call Now Button plugin for WordPress (versions up to and including 1.5.3) contains a missing capability check in the activate function, which is accessible via the wp-admin/admin-post.php?action=cnb_apikey_activate endpoint. This endpoint, responsible for linking the plugin to a cloud account on nowbuttons.com, fails to verify that the requesting user has sufficient privileges (e.g., Administrator) and also lacks a nonce check, making it vulnerable to both unauthorized access and cross-site request forgery (CSRF) [1].

An authenticated attacker with as little as Subscriber-level access can exploit this vulnerability on a fresh plugin installation that has not yet been configured with an API key. By crafting a request containing a one-time token (OTT), the attacker can force the plugin to bind to their own cloud account. Because the endpoint stores the token directly into the plugin's persistent options without proper validation, the attacker gains full control over the plugin's configuration [1].

Once the plugin is bound to the attacker's cloud account, the attacker can remotely control the on-site overlay (e.g., call/chat buttons) and inject malicious buttons or content. This can lead to phishing attacks, redirection to malicious sites, or other harmful actions, as user interactions are funneled to the attacker's cloud project [1].

The vulnerability is partially mitigated by the requirement that the plugin must be on a fresh install with no pre-configured API key. The vendor has not yet released a patched version as of the publication date. Users are advised to ensure that the plugin is configured with a legitimate API key immediately after installation, and to restrict access to admin accounts. The CleanTalk research includes a proof of concept, but no active exploit has been reported [1].