CVE-2026-3657
Received Received - Intake
SQL Injection in My Sticky Bar Plugin Enables Data Extraction

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: Wordfence

Description
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3657
EUVD
EUVD-2026-11511
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
premio my_sticky_bar to 2.8.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the My Sticky Bar WordPress plugin (up to version 2.8.6) is an SQL injection issue. It occurs because the plugin's AJAX handler for the `stickymenu_contact_lead_form` action uses attacker-controlled POST parameter names directly as SQL column identifiers in a database insert operation. While the parameter values are sanitized, the keys (parameter names) are not, allowing an unauthenticated attacker to craft malicious parameter names that inject SQL code. This enables blind time-based extraction of data from the database.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to perform SQL injection attacks on your WordPress site using the My Sticky Bar plugin. Specifically, the attacker can extract data from your database without authentication by exploiting the way the plugin handles POST parameter names. This can lead to unauthorized disclosure of sensitive information stored in the database.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves SQL injection via the `stickymenu_contact_lead_form` AJAX action in the My Sticky Bar WordPress plugin versions up to 2.8.6. Detection would involve monitoring for suspicious POST requests to the AJAX endpoint related to this action, especially those containing unusual or crafted parameter names used as SQL column identifiers.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits attacker-controlled POST parameter names, you can detect attempts by inspecting HTTP POST requests to the WordPress AJAX handler (usually at `wp-admin/admin-ajax.php`) with the `action=stickymenu_contact_lead_form` parameter.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include using network traffic inspection tools or web server logs to filter such requests. For example, using `grep` on web server logs:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=stickymenu_contact_lead_form'"}, {'type': 'list_item', 'content': "grep 'POST' /var/log/apache2/access.log | grep 'action=stickymenu_contact_lead_form'"}, {'type': 'paragraph', 'content': 'Additionally, you can use tools like `curl` or `wget` to simulate requests and verify if the endpoint is vulnerable by sending crafted POST requests with unusual parameter names.'}, {'type': 'paragraph', 'content': 'Note that no explicit detection commands or signatures are provided in the available resources.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the My Sticky Bar plugin to version 2.8.7 or later, where the vulnerability is fixed by restricting accepted POST parameters to a whitelist and properly sanitizing input.'}, {'type': 'paragraph', 'content': 'If immediate update is not possible, consider disabling or restricting access to the vulnerable AJAX action `stickymenu_contact_lead_form` to prevent unauthenticated attackers from exploiting the SQL injection.'}, {'type': 'paragraph', 'content': 'Implement web application firewall (WAF) rules to block suspicious POST requests with unexpected parameter names targeting this AJAX action.'}, {'type': 'paragraph', 'content': "Regularly monitor logs for unusual activity related to this plugin's AJAX endpoints and apply principle of least privilege to WordPress users."}] [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart