Unauthorized Data Loss Vulnerability in My Sticky Elements Plugin for WordPress
CVE-2025-14428

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
All-in-one Sticky Floating Contact Form, Call, Click To Chat, And 50+ Social Icon Tabs – My Sticky Elements
Vendor
CVE Published:
1 January 2026

What is CVE-2025-14428?

The My Sticky Elements plugin for WordPress has a security flaw that allows authenticated users with Subscriber-level permissions or higher to delete all stored contact form leads. This vulnerability arises from a missing capability check in the 'my_sticky_elements_bulks' function, leaving sensitive data at risk. Website administrators should ensure they are using the latest plugin version to mitigate the threat of unauthorized data loss.

Affected Version(s)

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements * <= 2.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/mystickyelemen...
https://plugins.trac.wordpress.org/browser/mystickyelemen...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Angus Girvan
JSON
.
CVE-2025-14428 : Unauthorized Data Loss Vulnerability in My Sticky Elements Plugin for WordPress