WordPress Plugin Vulnerabilities

My Sticky Elements < 2.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion

Description

The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.

Affects Plugins

Plugin icon
mystickyelements
Fixed in 2.3.4

References

CVE
CVE-2025-14428
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
680b9cc2-6d68-40d4-b91c-6f34fa87f66d

Timeline

Publicly Published
2025-12-31 (about 5 months ago)
Added
2026-01-01 (about 5 months ago)
Last Updated
2026-01-01 (about 5 months ago)

Other

Published
Title
Published
2024-01-10
Title
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Email Address Disclosure
Published
2026-05-25
Title
QR Redirector < 2.0.4 - Missing Authorization
Published
2025-04-17
Title
Spice Blocks <= 2.0.7.6 - Missing Authorization
Published
2026-02-18
Title
Virusdie < 1.1.8 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure
Published
2025-02-18
Title
Trash Duplicate and 301 Redirect < 1.9.1 - Unauthenticated Arbitrary Post Deletion