WP-Safety

Call Now Button – The #1 Click to Call Button for WordPress Security & Risk Analysis

wordpress.org/plugins/call-now-button

The web's #1 click to call button for your website! A simple and powerful plugin that adds a Call Now Button to your website.

200K active installs v2.0.0 PHP 7.4+ WP 6.1+ Updated Feb 6, 2026
call-buttoncall-now-buttonclick-to-callcontact-buttonconvert
95
A · Safe
CVEs total5
Unpatched0
Last CVEOct 29, 2025
Plugin page Download
Safety Verdict

Is Call Now Button – The #1 Click to Call Button for WordPress Safe to Use in 2026?

Generally Safe

Score 95/100

Call Now Button – The #1 Click to Call Button for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Oct 29, 2025Updated 1mo ago
Risk Assessment

The "call-now-button" v2.0.0 plugin presents a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling, with 100% of queries using prepared statements, and a very high percentage of output being properly escaped. The absence of critical or high-severity taint analysis findings and a lack of file operations are also strengths. However, a significant concern lies in its attack surface. With 17 AJAX handlers, a substantial 15 of them lack any form of authentication checks, exposing them to unauthorized access and potential abuse. This wide, unprotected entry point is a major risk.

The vulnerability history reveals a pattern of medium-severity issues, including Missing Authorization, CSRF, and XSS. While there are no currently unpatched vulnerabilities, the existence of 5 past medium-severity CVEs, particularly those related to authorization and input sanitization, reinforces the risks introduced by the unprotected AJAX endpoints. The common types of past vulnerabilities directly correlate with the areas of weakness identified in the static analysis, suggesting a recurring theme of insufficient input validation and access control in certain plugin functionalities.

In conclusion, while the plugin employs good practices in SQL and output handling, the large number of unprotected AJAX endpoints creates a significant security risk. Coupled with a history of medium-severity vulnerabilities related to authorization and XSS, careful attention to securing these entry points and ongoing security monitoring are strongly recommended. The lack of critical flaws is encouraging, but the exposed attack surface is a clear and present danger.

Key Concerns

  • Large attack surface without auth
  • Missing authorization on AJAX handlers
  • History of 5 medium severity CVEs
  • Common vulnerability types: Missing Authorization
  • Common vulnerability types: CSRF
  • Common vulnerability types: XSS
Vulnerabilities
5

Call Now Button – The #1 Click to Call Button for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2025-11632medium · 4.3Missing Authorization

Call Now Button <= 1.5.4 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

Oct 29, 2025 Patched in 1.5.5 (1d)
CVE-2025-11587medium · 4.3Missing Authorization

Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update

Oct 28, 2025 Patched in 1.5.4 (52d)
CVE-2025-24738medium · 4.3Cross-Site Request Forgery (CSRF)

Call Now Button <= 1.4.13 - Cross-Site Request Forgery

Jan 24, 2025 Patched in 1.4.14 (5d)
CVE-2024-2908medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Call Now Button <= 1.4.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 5, 2024 Patched in 1.4.7 (119d)
CVE-2022-1455medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Call Now Button <= 1.1.1 - Reflected Cross-Site Scripting

Apr 25, 2022 Patched in 1.1.2 (638d)
Code Analysis
Analyzed Mar 17, 2026

Call Now Button – The #1 Click to Call Button for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
29
1191 escaped
Nonce Checks
40
Capability Checks
7
File Operations
0
External Requests
2
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

100% prepared4 total queries

Output Escaping

98% escaped1220 total outputs
Attack Surface
15 unprotected

Call Now Button – The #1 Click to Call Button for WordPress Attack Surface

Entry Points17
Unprotected15

AJAX Handlers 17

authwp_ajax_cnb_enable_chatsrc\admin\chat\CnbChatAjaxHandler.php:17
authwp_ajax_cnb_disable_chatsrc\admin\chat\CnbChatAjaxHandler.php:18
authwp_ajax_cnb_time_formatsrc\CallNowButton.php:807
authwp_ajax_cnb_get_checkoutsrc\CallNowButton.php:808
authwp_ajax_cnb_get_agency_checkoutsrc\CallNowButton.php:809
authwp_ajax_cnb_email_activationsrc\CallNowButton.php:810
authwp_ajax_cnb_get_planssrc\CallNowButton.php:811
authwp_ajax_cnb_get_billing_portalsrc\CallNowButton.php:812
authwp_ajax_cnb_request_billing_portalsrc\CallNowButton.php:813
authwp_ajax_cnb_upgrade_to_yearlysrc\CallNowButton.php:814
authwp_ajax_cnb_delete_actionsrc\CallNowButton.php:817
authwp_ajax_cnb_delete_conditionsrc\CallNowButton.php:820
authwp_ajax_cnb_domain_timezone_changesrc\CallNowButton.php:823
authwp_ajax_cnb_hide_noticesrc\CallNowButton.php:826
authwp_ajax_cnb_create_buttonsrc\CallNowButton.php:829
authwp_ajax_cnb_set_user_storage_solutionsrc\CallNowButton.php:832
authwp_ajax_cnb_create_chat_tokensrc\CallNowButton.php:835
WordPress Hooks 103
actioncnb_header_namesrc\admin\action\CnbActionView.php:74
actioncnb_after_headersrc\admin\action\CnbActionView.php:77
actioncnb_header_namesrc\admin\action\CnbActionViewEdit.php:477
actioncnb_header_namesrc\admin\agency\CnbAgencyViewUpgrade.php:23
actioncnb_header_namesrc\admin\api-key\CnbApiKeyView.php:36
actioncnb_after_headersrc\admin\api-key\CnbApiKeyView.php:39
actioncnb_header_namesrc\admin\button\CnbButtonView.php:116
actioncnb_after_headersrc\admin\button\CnbButtonView.php:121
actioncnb_header_namesrc\admin\button\CnbButtonViewEdit.php:149
filtercnb_header_wrapper_classessrc\admin\chat\class-cnb-chat-view.php:14
filtercnb_admin_notice_filtersrc\admin\chat\class-cnb-chat-view.php:19
filtercnb_admin_notice_filtersrc\admin\chat\CnbChatMarketingView.php:11
actioncnb_header_namesrc\admin\chat\CnbChatMarketingView.php:19
actioncnb_header_namesrc\admin\condition\CnbConditionView.php:87
actioncnb_after_headersrc\admin\condition\CnbConditionView.php:90
actioncnb_header_namesrc\admin\condition\CnbConditionViewEdit.php:186
actionwp_dashboard_setupsrc\admin\dashboard\CnbDashboardWidget.php:22
filtercnb_admin_notice_filtersrc\admin\domain\class-payment-view.php:68
actioncnb_header_namesrc\admin\domain\class-payment-view.php:73
actioncnb_header_namesrc\admin\domain\CnbDomainView.php:50
actioncnb_after_headersrc\admin\domain\CnbDomainView.php:53
actioncnb_header_namesrc\admin\domain\CnbDomainViewEdit.php:42
actioncnb_header_namesrc\admin\domain\CnbDomainViewUpgrade.php:96
filteradmin_footer_textsrc\admin\domain\partials\CnbDomainViewUpgradeFinished.php:130
actioncnb_header_namesrc\admin\legacy\CnbLegacyEdit.php:17
actioncnb_header_namesrc\admin\legacy\CnbLegacyUpgrade.php:494
actioncnb_header_namesrc\admin\profile\CnbProfileEdit.php:19
actioncnb_header_namesrc\admin\settings\CnbApiKeyActivatedView.php:359
filtercnb_admin_notice_filtersrc\admin\settings\CnbApiKeyActivatedView.php:366
filtercnb_admin_notice_filtersrc\admin\settings\CnbSettingsRouter.php:18
actioncnb_header_namesrc\admin\settings\CnbSettingsViewEdit.php:712
actioncnb_header_namesrc\admin\templates\class-template-view.php:51
actionplugins_loadedsrc\call-now-button.php:27
actionplugins_loadedsrc\call-now-button.php:28
actionplugins_loadedsrc\call-now-button.php:29
actionplugins_loadedsrc\call-now-button.php:30
actionplugins_loadedsrc\call-now-button.php:31
actionplugins_loadedsrc\call-now-button.php:32
actionwp_loadedsrc\call-now-button.php:37
actionplugins_loadedsrc\call-now-button.php:39
actionadmin_menusrc\CallNowButton.php:671
actionadmin_menusrc\CallNowButton.php:672
actionadmin_headsrc\CallNowButton.php:673
filterplugin_row_metasrc\CallNowButton.php:675
actionadmin_initsrc\CallNowButton.php:678
actionadmin_initsrc\CallNowButton.php:679
actionadmin_initsrc\CallNowButton.php:682
filteroption_cnbsrc\CallNowButton.php:685
actioncnb_initsrc\CallNowButton.php:691
actioncnb_finishsrc\CallNowButton.php:692
actioncnb_initsrc\CallNowButton.php:695
actioncnb_validation_noticessrc\CallNowButton.php:699
filtercnb_get_action_typessrc\CallNowButton.php:703
filtercnb_get_action_typessrc\CallNowButton.php:704
filtercnb_get_condition_typessrc\CallNowButton.php:707
actioncnb_headersrc\CallNowButton.php:724
actioncnb_footersrc\CallNowButton.php:726
actionadmin_post_cnb_create_buttonsrc\CallNowButton.php:742
actionadmin_post_cnb_create_single_buttonsrc\CallNowButton.php:744
actionadmin_post_cnb_create_multi_buttonsrc\CallNowButton.php:745
actionadmin_post_cnb_create_full_buttonsrc\CallNowButton.php:746
actionadmin_post_cnb_create_dots_buttonsrc\CallNowButton.php:747
actionadmin_post_cnb_update_single_buttonsrc\CallNowButton.php:749
actionadmin_post_cnb_update_multi_buttonsrc\CallNowButton.php:750
actionadmin_post_cnb_update_full_buttonsrc\CallNowButton.php:751
actionadmin_post_cnb_update_dots_buttonsrc\CallNowButton.php:752
actionadmin_post_cnb_delete_buttonsrc\CallNowButton.php:754
actionadmin_post_cnb_buttons_bulksrc\CallNowButton.php:755
actionadmin_post_cnb_apikey_createsrc\CallNowButton.php:758
actionadmin_post_cnb_apikey_validate_and_updatesrc\CallNowButton.php:759
actionadmin_post_cnb_apikey_bulksrc\CallNowButton.php:760
actionadmin_post_cnb_apikey_activatesrc\CallNowButton.php:763
actionadmin_post_cnb_create_conditionsrc\CallNowButton.php:766
actionadmin_post_cnb_update_conditionsrc\CallNowButton.php:767
actionadmin_post_cnb_delete_conditionsrc\CallNowButton.php:768
actionadmin_post_cnb_conditions_bulksrc\CallNowButton.php:769
actionadmin_post_cnb_create_actionsrc\CallNowButton.php:772
actionadmin_post_cnb_update_actionsrc\CallNowButton.php:773
actionadmin_post_cnb_delete_actionsrc\CallNowButton.php:774
actionadmin_post_cnb_actions_bulksrc\CallNowButton.php:775
actionadmin_post_cnb_create_domainsrc\CallNowButton.php:778
actionadmin_post_cnb_update_domainsrc\CallNowButton.php:779
actionadmin_post_cnb_delete_domainsrc\CallNowButton.php:780
actionadmin_post_cnb_domains_bulksrc\CallNowButton.php:781
actionadmin_post_cnb_profile_editsrc\CallNowButton.php:784
actionadmin_post_cnb_delete_all_settingssrc\CallNowButton.php:788
actionadmin_post_cnb_set_default_settingssrc\CallNowButton.php:789
actionadmin_post_cnb_set_changelog_versionsrc\CallNowButton.php:790
actioncli_initsrc\cli\CNB_CLI.php:31
actioncli_initsrc\cli\CNB_CLI_Api.php:200
actioncli_initsrc\cli\CNB_CLI_Button.php:196
actioncli_initsrc\cli\CNB_CLI_User.php:66
actioncnb_admin_noticessrc\notices\CnbAdminNotices.php:25
filtercnb_admin_notice_filtersrc\notices\CnbAdminNotices.php:26
actionwp_headsrc\renderers\cloud\class-cloudrenderer.php:87
actionwp_headsrc\renderers\modern\class-modernrenderer.php:173
actionwp_footersrc\renderers\modern\class-modernrenderer.php:175
actionwp_headsrc\renderers\noop\class-nooprenderer.php:26
filterrocket_minify_excluded_external_jssrc\utils\class-cachehandler.php:61
filterrocket_lazyload_excluded_attributessrc\utils\class-cachehandler.php:72
actioncnb_after_button_changedsrc\utils\class-cachehandler.php:171
actioncnb_after_button_changedsrc\utils\class-cachehandler.php:172
filtercnb_after_savesrc\utils\class-cachehandler.php:174
Maintenance & Trust

Call Now Button – The #1 Click to Call Button for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 6, 2026
PHP min version7.4
Downloads6.8M

Community Trust

Rating96/100
Number of ratings101
Active installs200K
Alternatives

Call Now Button – The #1 Click to Call Button for WordPress Alternatives

Call From Web – Click to Call & Live Support Button for WordPress

Call From Web – Click to Call & Live Support Button for WordPress

call-from-web

A
100

🚀 Transform Your Website into a Direct Communication Channel! Get FREE Calls from Visitors Worldwide. Boost Conversions & Customer Satisfaction. 💪

10 No CVEs
Call Me Button for Call Center Online

Call Me Button for Call Center Online

call-center-online

A
85

A simple-to-use plugin that works with the Call Center Online platform. Adds a button to collect contacts on your website.

0 No CVEs
Really Simple Click To Call Bar

Really Simple Click To Call Bar

really-simple-click-to-call

A
85

A simple plugin that adds a click to call bar/call now button for mobile visitors.

8K No CVEs
Floating Click to Contact Buttons

Floating Click to Contact Buttons

floating-click-to-contact-buttons

A
85

Tạo các nút gọi, nút chat Zalo, nút Chat messenger, nút để lại thông tin để tư vấn, nút chỉ đường. Trình bày các nút đẹp mắt ở góc phải dưới màn hình, &hellip;

2K No CVEs
Mobile Call Buttons

Mobile Call Buttons

mobile-call-buttons

A
100

Lightweight plugin that displays two fixed call buttons on mobile devices to boost conversions.

300 No CVEs
Developer Profile

Call Now Button – The #1 Click to Call Button for WordPress Developer Profile

Jerry Rietveld

1 plugin · 200K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
163 days
View full developer profile
Detection Fingerprints

How We Detect Call Now Button – The #1 Click to Call Button for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/call-now-button/dist/index.css/wp-content/plugins/call-now-button/dist/index.js/wp-content/plugins/call-now-button/assets/css/admin.css/wp-content/plugins/call-now-button/assets/js/admin.js
Script Paths
/wp-content/plugins/call-now-button/dist/index.js/wp-content/plugins/call-now-button/assets/js/admin.js
Version Parameters
call-now-button/dist/index.css?ver=call-now-button/dist/index.js?ver=call-now-button/assets/css/admin.css?ver=call-now-button/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
cnb_button_namecnb_list_event
Data Attributes
data-cnb-button-iddata-cnb-button-namedata-cnb-button-type
JS Globals
CNB_SLUG
FAQ

Frequently Asked Questions about Call Now Button – The #1 Click to Call Button for WordPress