The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.

Project Subscriptions

Vendors Products
Blendmedia Subscribe
Wp Cta – Call Now Button, Sticky Button & Call To Action Builder Subscribe
Wordpress Subscribe
Wordpress Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 13 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Blendmedia
Blendmedia wp Cta – Call Now Button, Sticky Button & Call To Action Builder
Wordpress
Wordpress wordpress
Vendors & Products Blendmedia
Blendmedia wp Cta – Call Now Button, Sticky Button & Call To Action Builder
Wordpress
Wordpress wordpress

Sat, 11 Jul 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.
Title WP CTA <= 2.2.2 - Unauthenticated Time-Based Blind SQL Injection via 'fildname' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-13T14:29:23.768Z

Reserved: 2026-03-23T16:11:31.414Z

Link: CVE-2026-4661

cve-icon Vulnrichment

Updated: 2026-07-13T14:29:17.007Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T14:39:44Z

Weaknesses