{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3657", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T18:19:56.674Z", "datePublished": "2026-03-12T02:22:36.468Z", "dateUpdated": "2026-04-08T16:33:30.345Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:30.345Z"}, "affected": [{"vendor": "premio", "product": "My Sticky Bar \u2013 Floating Notification Bar & Sticky Header (formerly myStickymenu)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database."}], "title": "My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2001"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2386"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2396"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/trunk/mystickymenu.php#L2386"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mystickymenu/tags/2.8.6&new_path=/mystickymenu/tags/2.8.7"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dimas Maulana"}], "timeline": [{"time": "2026-03-06T18:36:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-11T13:35:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:14:16.775598Z", "id": "CVE-2026-3657", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:14:24.099Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3657", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:14:16.775598Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:14:20.302Z"}}], "cna": {"title": "My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action", "credits": [{"lang": "en", "type": "finder", "value": "Dimas Maulana"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "premio", "product": "My Sticky Bar \u2013 Floating Notification Bar & Sticky Header (formerly myStickymenu)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.8.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-06T18:36:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-11T13:35:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2001"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2386"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2396"}, {"url": "https://plugins.trac.wordpress.org/browser/mystickymenu/trunk/mystickymenu.php#L2386"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mystickymenu/tags/2.8.6&new_path=/mystickymenu/tags/2.8.7"}], "descriptions": [{"lang": "en", "value": "The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:30.345Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3657", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:30.345Z", "dateReserved": "2026-03-06T18:19:56.674Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-12T02:22:36.468Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database."}, {"lang": "es", "value": "El plugin My Sticky Bar para WordPress es vulnerable a inyecci\u00f3n SQL a trav\u00e9s de la acci\u00f3n AJAX 'stickymenu_contact_lead_form' en todas las versiones hasta la 2.8.6, inclusive. Esto se debe a que el gestor utiliza nombres de par\u00e1metros POST controlados por el atacante directamente como identificadores de columna SQL en '$wpdb-&gt;insert()'. Si bien los valores de los par\u00e1metros se sanean con 'esc_sql()' y 'sanitize_text_field()', las claves de los par\u00e1metros se utilizan tal cual para construir la lista de columnas en la sentencia INSERT. Esto hace posible que atacantes no autenticados inyecten SQL a trav\u00e9s de nombres de par\u00e1metros manipulados, lo que permite la extracci\u00f3n ciega de datos basada en tiempo de la base de datos."}], "id": "CVE-2026-3657", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-12T03:15:57.923", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2001"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2386"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2396"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mystickymenu/trunk/mystickymenu.php#L2386"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mystickymenu/tags/2.8.6&new_path=/mystickymenu/tags/2.8.7"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "My Sticky Bar \u2013 Floating Notification Bar & Sticky Header (formerly myStickymenu)", "source": "cna", "vendor": "premio"}, "product": "my_sticky_bar_\u2013_floating_notification_bar_&_sticky_header_(formerly_mystickymenu)", "vendor": "premio"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-18T15:20:53.966690+00:00", "value": {"mitigation_remediation": ["Upgrade the My Sticky Bar plugin to version\u202f2.8.7 or later, which excludes the vulnerable code.", "Verify that the stickymenu_contact_lead_form AJAX action is no longer available or has been patched after the update.", "If an immediate upgrade is not feasible, block access to the AJAX endpoint via server configuration (e.g., .htaccess or firewall rules) to prevent unauthenticated POST requests.", "Monitor the plugin\u2019s official support channels for additional patches or advisories and apply them as soon as available."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection leading to data compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Premio My Sticky Bar plugin (formerly myStickymenu) in all releases up to and including version\u202f2.8.6. Any WordPress installation utilizing these plugin versions is potentially exposed, regardless of user privileges, because the vulnerable AJAX endpoint can be accessed without authentication.", "description_and_impact": "The My Sticky Bar WordPress plugin allows unauthenticated users to perform a blind time\u2011based SQL injection via the stickymenu_contact_lead_form AJAX action. Attackers craft POST parameter names that are used directly as column identifiers in a SQL INSERT statement, bypassing parameter sanitization. Because the attacker\u2011controlled keys become part of the SQL, they can manipulate the query to exfiltrate data or potentially modify the database. This vulnerability provides a high\u2011impact data exposure vector rooted in CWE\u201189.", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity, while the EPSS score is below 1\u202f% and the flaw is not listed in CISA\u2019s KEV catalog, suggesting current exploitation risk is low but not negligible. Exploitation requires the target to be running the vulnerable plugin with the stickymenu_contact_lead_form action enabled, and the attacker must send a crafted HTTP POST request. Although the attack vector is remote and unauthenticated, the potential impact of data exposure or unauthorized database manipulation makes this a high\u2011risk issue."}}}}, "created": "2026-03-13T09:53:43.425602+00:00", "updated": "2026-03-20T15:36:11.959751+00:00", "vendors": ["premio", "premio$PRODUCT$my_sticky_bar_\u2013_floating_notification_bar_&_sticky_header_(formerly_mystickymenu)", "wordpress", "wordpress$PRODUCT$wordpress"]}