PatchSiren cyber security CVE debrief
CVE-2026-4661 blendmedia CVE debrief
The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. Administrators and users of the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress should prioritize updating to a patched version to prevent potential exploitation.
- Vendor
- blendmedia
- Product
- WP CTA – Call Now Button, Sticky Button & Call to Action Builder
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Administrators and users of the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress should prioritize updating to a patched version to prevent potential exploitation. This vulnerability has a high impact on the security of the plugin and can be exploited by unauthenticated attackers to extract sensitive information from the database.
Technical summary
The vulnerability exists in the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress, specifically in the 'fildname' parameter. An unauthenticated attacker can inject arbitrary SQL queries, allowing for the extraction of sensitive information from the database, including administrator password hashes. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. Affected product deployments should be reviewed for exposure, and owners assigned for follow-up. The absence of authorization checks and unauthenticated user registration via wp_ajax_nopriv_ exacerbate the vulnerability. It is crucial for administrators and users to update to a patched version to prevent potential exploitation. Additional security measures, such as monitoring for suspicious database activity and using a web application firewall, should be considered.
Defensive priority
High
Recommended defensive actions
- Update the WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin to a patched version.
- Implement additional security measures, such as monitoring for suspicious database activity.
- Consider using a web application firewall to detect and prevent SQL injection attacks.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-11T07:16:46.513Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:46.513Z and has not been modified since then.