CVE-2025-11587: 
WordPress vulnerability analysis and mitigation

The Call Now Button WordPress plugin (versions up to 1.5.3) contains a vulnerability identified as CVE-2025-11587, discovered on October 28, 2025. The vulnerability stems from a missing capability check on the activate function, affecting fresh installations where the plugin hasn't been previously configured with an API key (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (MEDIUM). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges for exploitation (NVD).

When exploited, the vulnerability allows authenticated attackers with Subscriber-level access or higher to link the plugin to their nowbuttons.com account and potentially add malicious buttons to the affected WordPress site. The impact is limited to fresh installations where no API key has been previously configured (NVD).

The vulnerability affects versions up to and including 1.5.3 of the Call Now Button WordPress plugin. Site administrators should ensure their plugin is configured with an API key immediately after installation to prevent unauthorized modifications (NVD).