CVE-2025-11632
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
29/10/2025
Última modificación:
30/10/2025
Descripción
*** Pendiente de traducción *** The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc.<br />
This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5
Impacto
Puntuación base 3.x
4.30
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L147
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L154
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L167
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L21
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L50
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/chat/class-cnb-chat-controller.php#L52
- https://www.wordfence.com/threat-intel/vulnerabilities/id/379547a2-6b22-4ec9-8570-a043dda7ec09?source=cve