CVE-2023-7048

Name of the Vulnerable Software and Affected Versions My Sticky Bar plugin for WordPress versions up to, and including, 2.6.6

Description The issue is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php, making it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link. The CSV file is exported to a public location and can be downloaded during a short window of time before it is automatically deleted by the export function.

Recommendations For versions up to, and including, 2.6.6, update to a version that includes the fix for the missing or incorrect nonce validation issue. As a temporary workaround, consider restricting access to the mystickymenu-contact-leads.php file until a patch is available.