{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8152", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-25T00:44:57.020Z", "datePublished": "2025-08-02T07:24:21.531Z", "dateUpdated": "2026-04-08T17:10:37.188Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:37.188Z"}, "affected": [{"vendor": "blendmedia", "product": "WP CTA \u2013 Call Now Button, Sticky Button & Call to Action Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_cta_status' and 'change_sticky_sidebar_name' functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard."}], "title": "WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons <= 1.7.0 - Missing Authorization to Unauthenticated Sticky Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/981ed50b-8f03-4320-99f0-3f53f7b2fc44?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L52"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3336867%40easy-sticky-sidebar&new=3336867%40easy-sticky-sidebar&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "timeline": [{"time": "2025-08-01T18:48:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-04T15:17:55.880088Z", "id": "CVE-2025-8152", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T15:18:03.713Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8152", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-04T15:17:55.880088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T15:17:59.366Z"}}], "cna": {"title": "WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons <= 1.7.0 - Missing Authorization to Unauthenticated Sticky Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "blendmedia", "product": "WP CTA \u2013 Call Now Button, Sticky Button & Call to Action Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-01T18:48:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/981ed50b-8f03-4320-99f0-3f53f7b2fc44?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L52"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3336867%40easy-sticky-sidebar&new=3336867%40easy-sticky-sidebar&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_cta_status' and 'change_sticky_sidebar_name' functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:37.188Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8152", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:37.188Z", "dateReserved": "2025-07-25T00:44:57.020Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-02T07:24:21.531Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_cta_status' and 'change_sticky_sidebar_name' functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard."}, {"lang": "es", "value": "El complemento WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de comprobaci\u00f3n de las funciones \u00abupdate_cta_status\u00bb y \u00abchange_sticky_sidebar_name\u00bb en todas las versiones hasta la 1.7.0 incluida. Esto permite que atacantes no autenticados actualicen el estado de un sticky y el nombre que se muestra en el panel de control de WP CTA."}], "id": "CVE-2025-8152", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-02T08:15:26.840", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L29"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L52"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3336867%40easy-sticky-sidebar&new=3336867%40easy-sticky-sidebar&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/981ed50b-8f03-4320-99f0-3f53f7b2fc44?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:43:46.394262+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 1.7.0 if one exists.", "If an upgrade is not possible, restrict access to the endpoints that handle status and name changes, for example by adding role checks or employing a WordPress security plugin to block unauthorized calls.", "Apply web\u2011application firewall rules or use .htaccess configurations to deny external access to the update endpoints until a patch is applied."], "summary": {"action": "Apply Update", "impact": "Data Tampering (unauthorized modification of sticky button status and dashboard name)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Blendmedia WordPress plugin known as WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons. All releases up to and including version 1.7.0 are susceptible; no newer releases were referenced in the advisory.", "description_and_impact": "The discovered flaw stems from a missing capability check in the WP CTA \u2013 Call To Action Plugin. Unauthenticated users can call the \u2019update_cta_status\u2019 and \u2019change_sticky_sidebar_name\u2019 functions, allowing them to alter the visibility state of sticky buttons and replace the name shown in the WordPress admin dashboard. This weakness, classified as CWE\u2011862, enables data tampering rather than code execution, but it can be exploited to deface or misleadingly promote content by changing call\u2011to\u2011action text and visibility.", "risk_and_exploitability": "With a CVSS score of 5.3 this vulnerability falls into the moderate risk range, and its EPSS score of less than 1% indicates a low likelihood of exploitation. The issue is not listed in CISA\u2019s KEV catalog. Likely exploitation involves an unauthenticated attacker sending crafted HTTP requests to the plugin\u2019s endpoints, bypassing WordPress's normal capability checks. No additional authentication is required, meaning any web user with network access to the site can trigger the updates."}}}}, "created": "2025-08-04T08:49:33.230070+00:00", "updated": "2026-04-21T03:45:27.386949+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}