My Sticky Bar < 2.8.7 – Unauthenticated SQLi via 'stickymenu_contact_lead_form' Action | CVE 2026-3657 | Plugin Vulnerabilities

Description

The plugin is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.

Affects Plugins

Fixed in 2.8.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dimas Maulana

Verified

No

WPVDB ID

3a52b3fb-f59b-476c-8e83-323b47ad9023

Timeline

Publicly Published

2026-03-11 (about 2 months ago)

Added

2026-03-11 (about 2 months ago)

Last Updated

2026-03-11 (about 2 months ago)

Other

Published

Title

Published

2023-06-05

Title

Custom 404 Pro < 3.8.1 - Multiple SQL Injection

Published

2024-04-05

Title

ENL Newsletter <= 1.0.1 - Admin+ SQL Injection

Published

2023-06-30

Title

SP Project & Document Manager < 4.68 - Subscriber+ SQLi

Published

2025-08-27

Title

Simple Download Monitor < 3.9.34 - Simple Download Monitor < 3.9.34 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality

Published

2023-03-22

Title

WP Popup Banners <= 1.2.5 - Subscriber+ SQLi