PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4661 blendmedia CVE debrief

The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. Administrators and users of the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress should prioritize updating to a patched version to prevent potential exploitation.

Vendor
blendmedia
Product
WP CTA – Call Now Button, Sticky Button & Call to Action Builder
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Administrators and users of the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress should prioritize updating to a patched version to prevent potential exploitation. This vulnerability has a high impact on the security of the plugin and can be exploited by unauthenticated attackers to extract sensitive information from the database.

Technical summary

The vulnerability exists in the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress, specifically in the 'fildname' parameter. An unauthenticated attacker can inject arbitrary SQL queries, allowing for the extraction of sensitive information from the database, including administrator password hashes. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. Affected product deployments should be reviewed for exposure, and owners assigned for follow-up. The absence of authorization checks and unauthenticated user registration via wp_ajax_nopriv_ exacerbate the vulnerability. It is crucial for administrators and users to update to a patched version to prevent potential exploitation. Additional security measures, such as monitoring for suspicious database activity and using a web application firewall, should be considered.

Defensive priority

High

Recommended defensive actions

  • Update the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin to a patched version.
  • Implement additional security measures, such as monitoring for suspicious database activity.
  • Consider using a web application firewall to detect and prevent SQL injection attacks.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-11T07:16:46.513Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:46.513Z and has not been modified since then.