Volerion logoVolerion
Volerion logoVolerion

Call Now Button WordPress Plugin Missing Authorization Vulnerability

Vulnerability

A vulnerability exists in the Call Now Button WordPress plugin, specifically in versions through 1.5.4. The issue arises from a lack of proper capability checks on several functions, allowing authenticated attackers with Subscriber-level access or higher to access unauthorized data. Exploitation of this vulnerability enables the generation of links to the billing portal, where attackers can view and modify billing information, generate chat session tokens, and check domain status, among other actions.

Impact

Exploitation allows unauthorized access to sensitive billing information, modification of billing details, generation of chat tokens, and retrieval of domain status information.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can invoke the affected functions through AJAX requests. The missing capability checks will allow access to the billing portal links, chat tokens, and domain status information without proper authorization.

Remediation

Users are advised to update the Call Now Button WordPress plugin to version 1.5.5 or later.

Added: Oct 29, 2025, 1:18 PM
Updated: Oct 29, 2025, 1:18 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
5.0
exploitability
6.4
remediation
7.7
relevance
0.8
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.