PT-2026-57417 · WordPress · Wp Cta – Sticky Cta Builder
Daroo
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-4661
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales versions prior to 2.2.3
Description
Unauthenticated attackers can perform time-based blind SQL injection, a technique used to extract data from a database by observing the time it takes for the server to respond to specific queries. The issue occurs because the
ajaxCheck() function fails to properly escape user-supplied column names and does not use prepared statements in the $wpdb->update() call. This flaw is accessible via the fildname parameter at an endpoint registered for unauthenticated users through wp ajax nopriv , allowing for the extraction of sensitive data, such as administrator password hashes.Recommendations
Update the plugin to a version newer than 2.2.2.
As a temporary mitigation, restrict access to the
ajaxCheck() function or the fildname parameter until the update is applied.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Cta – Sticky Cta Builder