WordPress Plugin Vulnerabilities

Sticky Buttons < 4.1.2 - Cross-Site Request Forgery to Settings Update

Description

The Sticky Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
sticky-buttons
Fixed in 4.1.2

References

CVE
CVE-2025-24720
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/70dd560c-975c-4c64-a0e0-de856c5bae3a

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Khang Duong
Verified
No
WPVDB ID
c347059b-6c00-415b-85e2-5acfa16babbd

Timeline

Publicly Published
2025-01-24 (about 1 year ago)
Added
2025-01-28 (about 1 year ago)
Last Updated
2025-01-28 (about 1 year ago)

Other

Published
Title
Published
2025-08-19
Title
Backup Bolt <= 1.4.1 - Cross-Site Request Forgery
Published
2023-09-27
Title
Block Update < 3.3.2 - Arbitrary Plugin Update Blocking via CSRF
Published
2023-03-28
Title
IP Blocker Lite <= 11.1.1 - Cross-Site Request Forgery
Published
2025-09-22
Title
Show Pages List <= 1.2.0 - Cross-Site Request Forgery
Published
2025-11-10
Title
WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting