Back to overview

CVE-2026-4661

HIGH
7.5
CVSS 3.1
Description
The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.

Metadata

CVE ID
CVE-2026-4661
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-03-23 16:11 UTC
Published
2026-07-11 05:35 UTC
Last updated
2026-07-11 05:35 UTC
Primary CWE
CWE-89
CWE-89 Improper Neutralization of Special Elements used in a…
Vendor / Product
blendmedia / WP CTA – Call Now Button, Sticky Button & Call to Action Builder
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
blendmedia WP CTA – Call Now Button, Sticky Button & Call to Action Builder 0 ≤ 2.2.2
Weakness (CWE)
CWESourceDescription
CWE-89 cna CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Back to overview