Description
Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 2.1.2.
Published: 2026-03-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control (Unauthorized Privileges)
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Blend Media WordPress CTA easy‑sticky‑sidebar plugin. It allows users with insufficient privileges to perform actions normally reserved for administrators, potentially leading to unauthorized viewing or modification of content, or other administrative functions. The weakness is a classic broken access control issue, exposing the confidentiality and integrity of site data.

Affected Systems

All versions of the Blend Media WordPress CTA plugin through 2.1.2 are affected. Site administrators who have installed or are using any of these versions may be vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely through the WordPress admin interface, where a user with standard permissions can access the plugin configuration pages and exploit the incorrect authorization checks. The flaw could be leveraged by any authenticated user that can reach the plugin settings, allowing them to gain elevated privileges or alter protected content.

Generated by OpenCVE AI on April 16, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress CTA plugin to a version equal to or greater than 2.1.3, if one is available, to remove the broken access control flaw.
  • If an updated plugin is not yet available, temporarily disable the CTA plugin on all sites to block the exposed configuration endpoints.
  • Review and tighten WordPress role capabilities so that only users who truly need access to the CTA plugin settings are granted those permissions.

Generated by OpenCVE AI on April 16, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 1.7.4. Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 2.1.2.
Title WordPress WordPress CTA plugin <= 1.7.4 - Broken Access Control vulnerability WordPress WordPress CTA plugin <= 2.1.2 - Broken Access Control vulnerability

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Blend Media
Blend Media wordpress Cta
Wordpress
Wordpress wordpress
Vendors & Products Blend Media
Blend Media wordpress Cta
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 1.7.4.
Title WordPress WordPress CTA plugin <= 1.7.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Blend Media Wordpress Cta
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:55.999Z

Reserved: 2026-01-07T13:43:59.552Z

Link: CVE-2026-22459

cve-icon Vulnrichment

Updated: 2026-03-09T20:07:35.720Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:20.233

Modified: 2026-04-01T15:21:34.620

Link: CVE-2026-22459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses