{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-4661","assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","state":"PUBLISHED","assignerShortName":"Wordfence","dateReserved":"2026-03-23T16:11:31.414Z","datePublished":"2026-07-11T05:35:48.631Z","dateUpdated":"2026-07-11T05:35:48.631Z"},"containers":{"cna":{"providerMetadata":{"orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence","dateUpdated":"2026-07-11T05:35:48.631Z"},"affected":[{"vendor":"blendmedia","product":"WP CTA – Call Now Button, Sticky Button & Call to Action Builder","versions":[{"version":"0","status":"affected","lessThanOrEqual":"2.2.2","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes."}],"title":"WP CTA <= 2.2.2 - Unauthenticated Time-Based Blind SQL Injection via 'fildname' Parameter","references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/7e963601-dc41-4218-9119-708c74e51bc2?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/tags/1.7.4/inc/ClassActions.php#L193"},{"url":"https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/tags/1.7.4/inc/ClassActions.php#L186"},{"url":"https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/tags/1.7.4/inc/ClassActions.php#L17"},{"url":"https://plugins.trac.wordpress.org/changeset?reponame=&old=3524743%40easy-sticky-sidebar&new=3524743%40easy-sticky-sidebar"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","cweId":"CWE-89","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH"}}],"credits":[{"lang":"en","type":"finder","value":"daroo"}],"timeline":[{"time":"2026-07-10T16:57:59.000Z","lang":"en","value":"Disclosed"}]}}}