Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network AJAX endpoint (AV:N/AC:L/PR:N/UI:N) with blind SQLi enabling full DB read (C:H); described impact is extraction only, so I:N/A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.
Articles & Coverage 1
AnalysisAI
Unauthenticated SQL injection in the WP CTA (Sticky CTA Builder / Call Now Button) WordPress plugin through version 2.2.2 lets remote attackers extract database contents - including administrator password hashes - via the 'fildname' parameter of the ajaxCheck() AJAX endpoint. Because the handler is registered through wp_ajax_nopriv_ and performs no capability or nonce checks, exploitation requires no login. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the WP CTA plugin (any version ≤2.2.2) is installed and active on a reachable WordPress site; the vulnerable ajaxCheck() action is registered via wp_ajax_nopriv_, so no account, nonce, or user interaction is needed and it works against default configurations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a network-reachable, no-privilege, no-interaction attack with high confidentiality impact and no integrity/availability impact - consistent with time-based blind data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a WordPress site running WP CTA ≤2.2.2 and sends crafted unauthenticated POST requests to admin-ajax.php invoking ajaxCheck() with a malicious 'fildname' value containing a time-delay SQL payload (e.g. a conditional SLEEP). … |
| Remediation | No vendor-released patched version is stated in the available data; an upstream fix appears to exist via the WordPress plugin SVN changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3524743%40easy-sticky-sidebar&new=3524743%40easy-sticky-sidebar) but a released patched tag is not independently confirmed, so update to the latest available version and monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/7e963601-dc41-4218-9119-708c74e51bc2?source=cve) for a fixed release above 2.2.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress instances running WP CTA plugin and determine current versions in use; assess scope and business criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43157
GHSA-w7rc-p2m9-r4pm