Primary

Context

Call Now Button WordPress Plugin Missing Authorization Vulnerability on Fresh Installs

Vulnerability

Patched

A vulnerability exists in the Call Now Button WordPress plugin, specifically in versions through 1.5.3. The issue arises from a missing capability check in the activate function, allowing authenticated attackers with Subscriber-level access and above to manipulate plugin data. Exploitation involves linking the plugin to a nowbuttons.com account and adding malicious buttons to the site. This vulnerability is only applicable to new installations of the plugin that have not yet been configured with an API key.

Impact

Exploitation of this vulnerability allows for unauthorized modification of plugin data, including the addition of malicious buttons on the site.

Remediation

Users are advised to update the Call Now Button WordPress plugin to version 1.5.4 or a newer patched version.

Added: Oct 29, 2025, 1:19 PM

Updated: Oct 29, 2025, 1:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Call Now Button WordPress Plugin Missing Authorization Vulnerability on Fresh Installs

Vulnerability

Impact

Remediation

Affected Products

Call Now Button

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating