High severity7.5NVD Advisory· Published Mar 12, 2026· Updated Apr 22, 2026
CVE-2026-3657
CVE-2026-3657
Description
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the stickymenu_contact_lead_form AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in $wpdb->insert(). While parameter values are sanitized with esc_sql() and sanitize_text_field(), the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
Affected products
1- Range: <=2.8.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.phpnvd
- plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.phpnvd
- plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.phpnvd
- plugins.trac.wordpress.org/browser/mystickymenu/trunk/mystickymenu.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404nvd
News mentions
0No linked articles in our index yet.