Time-Based SQL Injection Vulnerability in WP CTA – Sticky CTA Builder Plugin
CVE-2026-4661
7.5HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-4661?
The WP CTA – Sticky CTA Builder plugin for WordPress is susceptible to time-based blind SQL Injection via the 'fildname' parameter. This vulnerability affects all versions up to 2.2.2 and arises from inadequate escaping of user-provided column names within the ajaxCheck() method. Moreover, the lack of authorization checks permits unauthenticated users to access this endpoint registered through wp_ajax_nopriv_. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially extracting sensitive data, including administrator password hashes, from the database using time-based techniques.
Affected Version(s)
WP CTA – Call Now Button, Sticky Button & Call to Action Builder 0 <= 2.2.2