Skip to main content

WP CTA CVE-2026-4661

| EUVDEUVD-2026-43157 HIGH
SQL Injection (CWE-89)
2026-07-11 Wordfence GHSA-w7rc-p2m9-r4pm
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network AJAX endpoint (AV:N/AC:L/PR:N/UI:N) with blind SQLi enabling full DB read (C:H); described impact is extraction only, so I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:52 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
HIGH 7.5

DescriptionCVE.org

The WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.

AnalysisAI

Unauthenticated SQL injection in the WP CTA (Sticky CTA Builder / Call Now Button) WordPress plugin through version 2.2.2 lets remote attackers extract database contents - including administrator password hashes - via the 'fildname' parameter of the ajaxCheck() AJAX endpoint. Because the handler is registered through wp_ajax_nopriv_ and performs no capability or nonce checks, exploitation requires no login. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running WP CTA ≤2.2.2
Delivery
Send unauthenticated admin-ajax request
Exploit
Inject time-delay SQL in 'fildname'
Execution
Measure response timing per character
Persist
Reconstruct admin password hashes
Impact
Crack hashes and access WordPress

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the WP CTA plugin (any version ≤2.2.2) is installed and active on a reachable WordPress site; the vulnerable ajaxCheck() action is registered via wp_ajax_nopriv_, so no account, nonce, or user interaction is needed and it works against default configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a network-reachable, no-privilege, no-interaction attack with high confidentiality impact and no integrity/availability impact - consistent with time-based blind data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a WordPress site running WP CTA ≤2.2.2 and sends crafted unauthenticated POST requests to admin-ajax.php invoking ajaxCheck() with a malicious 'fildname' value containing a time-delay SQL payload (e.g. a conditional SLEEP). …
Remediation No vendor-released patched version is stated in the available data; an upstream fix appears to exist via the WordPress plugin SVN changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3524743%40easy-sticky-sidebar&new=3524743%40easy-sticky-sidebar) but a released patched tag is not independently confirmed, so update to the latest available version and monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/7e963601-dc41-4218-9119-708c74e51bc2?source=cve) for a fixed release above 2.2.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress instances running WP CTA plugin and determine current versions in use; assess scope and business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy