CVE-2026-4661 in WP CTA Plugin
Summary
by MITRE • 07/11/2026
The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The WP CTA – Sticky CTA Builder plugin presents a critical time-based blind sql injection vulnerability that affects all versions up to and including 2.2.2 within the wordpress ecosystem. This security flaw resides in the ajaxCheck() method where user-supplied column names are inadequately escaped, creating an exploitable pathway for malicious actors to manipulate database queries through the 'fildname' parameter. The vulnerability stems from improper input validation and sanitization practices that fail to properly handle user-provided data before incorporating it into sql statements.
The technical implementation of this flaw demonstrates a classic case of insufficient query parameterization where the $wpdb->update() method call lacks proper preparation mechanisms, allowing attackers to inject malicious sql fragments that execute within the database context. This type of vulnerability falls under the common weakness enumeration category CWE-89, which specifically addresses sql injection flaws in software applications. The absence of proper input sanitization combined with the use of dynamic column names creates a perfect storm for exploitation where attacker-controlled data can directly influence query execution flow.
The operational impact of this vulnerability is severe as it operates without any authorization checks, making it accessible to unauthenticated users who can exploit the endpoint registered via wp_ajax_nopriv_ hook. This registration pattern allows attackers to bypass typical authentication mechanisms that would normally protect sensitive administrative functions. The time-based blind injection technique employed by attackers enables them to extract data slowly through timing variations in database response times, allowing for the retrieval of administrator password hashes and other sensitive information stored within the wordpress database.
Security professionals should note that this vulnerability aligns with attack techniques described in the mitre att&ck framework under the database persistence and credential access tactics. The lack of proper authorization controls combined with the exposed ajax endpoint creates an ideal environment for attackers to escalate privileges and gain unauthorized access to administrative accounts. Organizations using affected plugin versions face significant risk of data breaches, account takeover, and potential complete system compromise through this single vulnerable parameter.
Mitigation strategies should prioritize immediate plugin updates to versions that address the sql injection flaw through proper input validation and query parameterization. Administrators must also implement additional network-level protections such as web application firewalls that can detect and block suspicious sql injection patterns targeting known vulnerable endpoints. Regular security audits of wordpress installations should include comprehensive vulnerability scanning to identify similar issues in other plugins, themes, or custom code implementations. The vulnerability serves as a reminder of the critical importance of input validation, proper query preparation, and access control mechanisms in preventing database-related exploits that can lead to complete system compromise.