CVE-2026-3657 - Vulnerability Details

Description

The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.

Published: 2026-03-12

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The My Sticky Bar WordPress plugin allows unauthenticated users to perform a blind time‑based SQL injection via the stickymenu_contact_lead_form AJAX action. Attackers craft POST parameter names that are used directly as column identifiers in a SQL INSERT statement, bypassing parameter sanitization. Because the attacker‑controlled keys become part of the SQL, they can manipulate the query to exfiltrate data or potentially modify the database. This vulnerability provides a high‑impact data exposure vector rooted in CWE‑89.

Affected Systems

The vulnerability affects the Premio My Sticky Bar plugin (formerly myStickymenu) in all releases up to and including version 2.8.6. Any WordPress installation utilizing these plugin versions is potentially exposed, regardless of user privileges, because the vulnerable AJAX endpoint can be accessed without authentication.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity, while the EPSS score is below 1 % and the flaw is not listed in CISA’s KEV catalog, suggesting current exploitation risk is low but not negligible. Exploitation requires the target to be running the vulnerable plugin with the stickymenu_contact_lead_form action enabled, and the attacker must send a crafted HTTP POST request. Although the attack vector is remote and unauthenticated, the potential impact of data exposure or unauthorized database manipulation makes this a high‑risk issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

premio

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu)

unaffected

Version	Status	Constraints
`*`	affected	≤ 2.8.6

No data.

Vendor Product Confidence Versions

Premio

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly Mystickymenu)

100%

Version	Status	Scheme	Platform
`[0,2.8.6]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the My Sticky Bar plugin to version 2.8.7 or later, which excludes the vulnerable code.
Verify that the stickymenu_contact_lead_form AJAX action is no longer available or has been patched after the update.
If an immediate upgrade is not feasible, block access to the AJAX endpoint via server configuration (e.g., .htaccess or firewall rules) to prevent unauthenticated POST requests.
Monitor the plugin’s official support channels for additional patches or advisories and apply them as soon as available.

Generated by OpenCVE AI on March 18, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00163.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2001
https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2386
https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2396
https://plugins.trac.wordpress.org/browser/mystickymenu/trunk/mystickymenu.php#L2386
https://plugins.trac.wordpress.org/changeset?old_path=/mystickymenu/tags/2.8.6&new_path=/mystickymenu/tags/2.8.7
https://www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404?source=cve

History

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Premio Premio my Sticky Bar – Floating Notification Bar & Sticky Header (formerly Mystickymenu) Wordpress Wordpress wordpress
Vendors & Products		Premio Premio my Sticky Bar – Floating Notification Bar & Sticky Header (formerly Mystickymenu) Wordpress Wordpress wordpress

Thu, 12 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
Title		My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2001 https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2386 https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2396 https://plugins.trac.wordpress.org/browser/mystickymenu/trunk/mystickymenu.php#L2386 https://plugins.trac.wordpress.org/changeset?old_path=/mystickymenu/tags/2.8.6&new_path=/mystickymenu/tags/2.8.7 https://www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Premio My Sticky Bar – Floating Notification Bar & Sticky Header (formerly Mystickymenu)

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-12T02:22:36.468Z

Updated: 2026-03-12T13:14:24.099Z

Reserved: 2026-03-06T18:19:56.674Z

Link: CVE-2026-3657

Vulnrichment

Updated: 2026-03-12T13:14:20.302Z

NVD

Status : Awaiting Analysis

Published: 2026-03-12T03:15:57.923

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3657

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:36:11Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object