PT-2026-57417 · WordPress · Wp Cta – Sticky Cta Builder

Daroo

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-4661

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales versions prior to 2.2.3
Description Unauthenticated attackers can perform time-based blind SQL injection, a technique used to extract data from a database by observing the time it takes for the server to respond to specific queries. The issue occurs because the ajaxCheck() function fails to properly escape user-supplied column names and does not use prepared statements in the $wpdb->update() call. This flaw is accessible via the fildname parameter at an endpoint registered for unauthenticated users through wp ajax nopriv , allowing for the extraction of sensitive data, such as administrator password hashes.
Recommendations Update the plugin to a version newer than 2.2.2. As a temporary mitigation, restrict access to the ajaxCheck() function or the fildname parameter until the update is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-4661

Affected Products

Wp Cta – Sticky Cta Builder