{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14428", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T03:20:27.688Z", "datePublished": "2026-01-01T16:19:30.690Z", "dateUpdated": "2026-04-08T16:38:15.506Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:15.506Z"}, "affected": [{"vendor": "premio", "product": "All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs \u2013 My Sticky Elements", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin."}], "title": "My Sticky Elements <= 2.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L1788"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-front.php#L121"}, {"url": "https://plugins.trac.wordpress.org/changeset/3423407/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-12-10T03:35:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-31T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-05T20:08:06.139251Z", "id": "CVE-2025-14428", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:08:15.277Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-05T20:08:06.139251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:08:11.460Z"}}], "cna": {"title": "My Sticky Elements <= 2.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "premio", "product": "All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs \u2013 My Sticky Elements", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-10T03:35:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-31T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L1788"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-front.php#L121"}, {"url": "https://plugins.trac.wordpress.org/changeset/3423407/"}], "descriptions": [{"lang": "en", "value": "The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:15.506Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14428", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:38:15.506Z", "dateReserved": "2025-12-10T03:20:27.688Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-01T16:19:30.690Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin."}, {"lang": "es", "value": "El plugin All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements para WordPress es vulnerable a la p\u00e9rdida de datos no autorizada debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'my_sticky_elements_bulks' en todas las versiones hasta, e incluyendo, la 2.3.3. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, eliminen todos los leads de formularios de contacto almacenados por el plugin."}], "id": "CVE-2025-14428", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-01T17:15:41.813", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L1788"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L29"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-front.php#L121"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3423407/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:18:10.062547+00:00", "value": {"mitigation_remediation": ["Update the My Sticky Elements plugin to the latest official release, which restores the missing capability check for bulk deletion.", "If an upgrade cannot be applied immediately, edit the plugin source to comment out or remove the 'my_sticky_elements_bulks' function to block the vulnerable endpoint.", "Review and tighten Subscriber role capabilities to ensure that users at that level cannot access the plugin\u2019s admin interface or receive the custom capabilities that trigger bulk operations."], "summary": {"action": "Apply Patch", "impact": "Data Loss"}, "threat_synthesis": {"affected_systems": "WordPress sites running the My Sticky Elements plugin version 2.3.3 or earlier are vulnerable. The plugin is distributed by Premio under the name All\u2011in\u2011one Sticky Floating Contact Form, Call, Click to Chat and 50+ Social Icon Tabs. Any installation of a vulnerable version, regardless of the underlying WordPress core version, is at risk.", "description_and_impact": "The All\u2011in\u2011one Sticky Floating Contact Form, Call, Click to Chat and 50+ Social Icon Tabs\u2014My Sticky Elements plugin for WordPress contains a missing capability check on its bulk deletion routine. This flaw permits any authenticated user with Subscriber\u2011level access or higher to invoke the deletion function and permanently erase every contact\u2011form lead the plugin stores. The resulting loss of data is irreversible and directly impacts the confidentiality and integrity of the site\u2019s lead repository.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% implies a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the WordPress site, typically through a valid login, and then send an authorized HTTP request to the plugin\u2019s admin endpoint that triggers the bulk deletion function. With the missing authorization check, the function will execute without further permission verification, leading to immediate and total lead loss."}}}}, "created": "2026-01-05T10:14:53.105639+00:00", "updated": "2026-04-22T20:30:26.768141+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}