Skip to main content

Wp Cta Call Now Button Sticky Button Call To Action Builder

1 CVEs product

Monthly

CVE-2026-4661 HIGH This Week

Unauthenticated SQL injection in the WP CTA (Sticky CTA Builder / Call Now Button) WordPress plugin through version 2.2.2 lets remote attackers extract database contents - including administrator password hashes - via the 'fildname' parameter of the ajaxCheck() AJAX endpoint. Because the handler is registered through wp_ajax_nopriv_ and performs no capability or nonce checks, exploitation requires no login. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reachable and reported by Wordfence.

WordPress SQLi Wp Cta Call Now Button Sticky Button Call To Action Builder
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the WP CTA (Sticky CTA Builder / Call Now Button) WordPress plugin through version 2.2.2 lets remote attackers extract database contents - including administrator password hashes - via the 'fildname' parameter of the ajaxCheck() AJAX endpoint. Because the handler is registered through wp_ajax_nopriv_ and performs no capability or nonce checks, exploitation requires no login. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reachable and reported by Wordfence.

WordPress SQLi Wp Cta Call Now Button Sticky Button Call To Action Builder
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy