CVE-2026-3657

Name of the Vulnerable Software and Affected Versions My Sticky Bar versions up to and including 2.8.6

Description The My Sticky Bar plugin for WordPress is susceptible to SQL injection through the stickymenu contact lead form AJAX action. This occurs because the handler directly uses attacker-controlled POST parameter names as SQL column identifiers within the $wpdb->insert() function. While parameter values are sanitized using esc sql() and sanitize text field(), the parameter keys are used without modification when constructing the column list in the INSERT statement. This allows unauthenticated attackers to inject SQL code through crafted parameter names, potentially enabling blind time-based data extraction from the database. The API Endpoint involved is stickymenu contact lead form. The vulnerable component utilizes POST parameters, where the parameter names are directly used as SQL column identifiers.

Recommendations Versions up to and including 2.8.6 should be updated to a newer, fixed version if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.