Time-Based SQL Injection Vulnerability in WP CTA – Sticky CTA Builder Plugin
CVE-2026-4661

7.5HIGH

What is CVE-2026-4661?

The WP CTA – Sticky CTA Builder plugin for WordPress is susceptible to time-based blind SQL Injection via the 'fildname' parameter. This vulnerability affects all versions up to 2.2.2 and arises from inadequate escaping of user-provided column names within the ajaxCheck() method. Moreover, the lack of authorization checks permits unauthenticated users to access this endpoint registered through wp_ajax_nopriv_. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially extracting sensitive data, including administrator password hashes, from the database using time-based techniques.

Affected Version(s)

WP CTA – Call Now Button, Sticky Button & Call to Action Builder 0 <= 2.2.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

daroo
.