CVE-2026-3657
SQL Injection in My Sticky Bar Plugin Enables Data Extraction
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| premio | my_sticky_bar | to 2.8.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the My Sticky Bar WordPress plugin (up to version 2.8.6) is an SQL injection issue. It occurs because the plugin's AJAX handler for the `stickymenu_contact_lead_form` action uses attacker-controlled POST parameter names directly as SQL column identifiers in a database insert operation. While the parameter values are sanitized, the keys (parameter names) are not, allowing an unauthenticated attacker to craft malicious parameter names that inject SQL code. This enables blind time-based extraction of data from the database.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to perform SQL injection attacks on your WordPress site using the My Sticky Bar plugin. Specifically, the attacker can extract data from your database without authentication by exploiting the way the plugin handles POST parameter names. This can lead to unauthorized disclosure of sensitive information stored in the database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves SQL injection via the `stickymenu_contact_lead_form` AJAX action in the My Sticky Bar WordPress plugin versions up to 2.8.6. Detection would involve monitoring for suspicious POST requests to the AJAX endpoint related to this action, especially those containing unusual or crafted parameter names used as SQL column identifiers.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits attacker-controlled POST parameter names, you can detect attempts by inspecting HTTP POST requests to the WordPress AJAX handler (usually at `wp-admin/admin-ajax.php`) with the `action=stickymenu_contact_lead_form` parameter.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include using network traffic inspection tools or web server logs to filter such requests. For example, using `grep` on web server logs:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=stickymenu_contact_lead_form'"}, {'type': 'list_item', 'content': "grep 'POST' /var/log/apache2/access.log | grep 'action=stickymenu_contact_lead_form'"}, {'type': 'paragraph', 'content': 'Additionally, you can use tools like `curl` or `wget` to simulate requests and verify if the endpoint is vulnerable by sending crafted POST requests with unusual parameter names.'}, {'type': 'paragraph', 'content': 'Note that no explicit detection commands or signatures are provided in the available resources.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the My Sticky Bar plugin to version 2.8.7 or later, where the vulnerability is fixed by restricting accepted POST parameters to a whitelist and properly sanitizing input.'}, {'type': 'paragraph', 'content': 'If immediate update is not possible, consider disabling or restricting access to the vulnerable AJAX action `stickymenu_contact_lead_form` to prevent unauthenticated attackers from exploiting the SQL injection.'}, {'type': 'paragraph', 'content': 'Implement web application firewall (WAF) rules to block suspicious POST requests with unexpected parameter names targeting this AJAX action.'}, {'type': 'paragraph', 'content': "Regularly monitor logs for unusual activity related to this plugin's AJAX endpoints and apply principle of least privilege to WordPress users."}] [2, 4]