CVE-2025-11632: 
WordPress vulnerability analysis and mitigation

The Call Now Button WordPress plugin (versions up to and including 1.5.4) contains a missing authorization vulnerability identified as CVE-2025-11632. The vulnerability was discovered and disclosed on October 29, 2025, affecting the plugin's capability check functionality. This security issue allows authenticated attackers with Subscriber-level access or higher to access unauthorized data and functionality (NVD).

The vulnerability stems from missing capability checks on multiple functions in the plugin. The issue is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability affects the plugin's administrative functions, particularly in handling billing portal access and chat session management (Wordfence).

When exploited, the vulnerability allows authenticated attackers with Subscriber-level privileges to generate links to the billing portal, view and modify billing information of connected accounts, generate chat session tokens, and view domain status without proper authorization (NVD).

The vulnerability was partially addressed in version 1.5.4 and fully fixed in version 1.5.5 of the Call Now Button plugin. Users are advised to update to version 1.5.5 or later to fully mitigate the vulnerability (NVD).