CVE-2025-11587: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-11587 affects the Call Now Button WordPress plugin (versions up to and including 1.5.3). The vulnerability was discovered by researcher Dmitrii Ignatyev and was disclosed on October 28, 2025. The issue stems from a missing capability check on the activate function, which affects fresh installations of the plugin that haven't been configured with an API key (NVD, Rapid7).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (MEDIUM). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges for exploitation (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to link the plugin to their nowbuttons.com account and add potentially malicious buttons to the affected WordPress site. The impact is limited to fresh installations where the plugin has not been previously configured with an API key (NVD).

Website administrators should ensure their Call Now Button plugin is properly configured with an API key immediately after installation to prevent exploitation. The vulnerability affects versions up to and including 1.5.3 (NVD).