CVE-2025-14428
Unauthorized Data Deletion in My Sticky Elements WordPress Plugin
Publication date: 2026-01-01
Last updated on: 2026-01-01
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| my_sticky_elements | mystickyelements | to 2.3.3 (inc) |
| my_sticky_elements | mystickyelements | 2.3.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the My Sticky Elements WordPress plugin (all versions up to and including 2.3.3) is due to a missing capability check in the 'my_sticky_elements_bulks' function. This flaw allows authenticated attackers with Subscriber-level access or higher to delete all contact form leads stored by the plugin without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of all contact form leads stored by the plugin. An attacker with low-level authenticated access (Subscriber or above) can cause data loss by deleting valuable contact information collected through the plugin, potentially disrupting business communications and customer relationship management.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized deletion of contact form leads via the 'my_sticky_elements_bulks' function by authenticated users with Subscriber-level access or higher. Detection can focus on monitoring suspicious AJAX requests or admin actions related to this function. Since the plugin uses AJAX handlers for deleting database records, monitoring HTTP POST requests to admin-ajax.php with parameters indicating bulk deletion actions related to 'my_sticky_elements_bulks' could help detect exploitation attempts. Additionally, reviewing WordPress logs or database logs for unexpected deletions in the 'mystickyelement_contact_lists' table may indicate exploitation. Specific commands are not provided in the resources, but you can use web server logs or tools like grep to search for suspicious AJAX calls, e.g., `grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'my_sticky_elements_bulks'` or monitor database changes to the contact form leads table. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the My Sticky Elements plugin to a version later than 2.3.3, as the vulnerability exists in all versions up to and including 2.3.3. Since version 2.3.4 is available (as seen in Resources 2, 3, and 4), upgrading to this or a later version is recommended. Additionally, restrict user roles and capabilities to prevent Subscriber-level users from performing bulk deletions or accessing sensitive plugin functions until the update is applied. Monitoring and limiting AJAX requests related to the plugin's bulk deletion functionality can also help mitigate exploitation. [2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access and above to delete all contact form leads stored by the plugin. This unauthorized data loss could impact compliance with data protection regulations such as GDPR and HIPAA, which require proper safeguarding and integrity of personal and sensitive data. Loss of contact form leads may result in failure to maintain accurate records and protect user data, potentially leading to non-compliance with these standards.