WP-Safety

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Security & Risk Analysis

wordpress.org/plugins/mystickyelements

Get leads with a floating contact form tab, chat & social buttons like Facebook Messenger, WhatsApp, Viber, Telegram, Twitter, Instagram & more 🎉

40K active installs v2.3.4 PHP + WP 3.1+ Updated Apr 9, 2026
call-now-buttoncontact-formfacebook-messengerinstagramwhatsapp
92
A · Safe
CVEs total6
Unpatched0
Last CVEDec 31, 2025
Plugin page Download
Safety Verdict

Is All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Safe to Use in 2026?

Generally Safe

Score 92/100

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

6 known CVEsLast CVE: Dec 31, 2025Updated 1mo ago
Risk Assessment

The "mystickyelements" v2.3.4 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a robust implementation of security checks, with all 15 AJAX handlers protected by authentication. Furthermore, a high percentage of outputs (94%) are properly escaped, and a substantial 56% of SQL queries utilize prepared statements, mitigating common vulnerabilities. The absence of critical or high severity taint flows is also a positive indicator.

However, the plugin's vulnerability history presents significant concerns. With a total of 6 known CVEs, including 1 high and 5 medium severity vulnerabilities, the plugin has a history of introducing security flaws. The common types of past vulnerabilities (Missing Authorization, Cross-site Scripting, SQL Injection) suggest recurring weaknesses. The fact that all historical vulnerabilities are listed as 'currently unpatched' (though the 'last vulnerability' date appears to be in the future, implying it might be historical data with an outdated timestamp or a placeholder) suggests a pattern of past issues that may not have been fully addressed or that the current version might still be susceptible to older, unpatched variants.

In conclusion, while the current version of "mystickyelements" v2.3.4 demonstrates good practices in terms of input sanitization and output escaping for its AJAX endpoints and SQL queries, its historical vulnerability record is a significant red flag. The recurring nature of past vulnerability types indicates potential systemic issues within the plugin's development or maintenance. The existence of 6 known CVEs, even if theoretically patched, points to a past that requires diligent monitoring and potential caution when deploying.

Key Concerns

  • History of 6 known CVEs
  • 1 high severity CVE historically
  • 5 medium severity CVEs historically
  • Common vulnerability types: Missing Auth, XSS, SQLi
  • Only 56% of SQL queries use prepared statements
  • Bundled library Select2 (potential for outdated version)
Vulnerabilities
6 published

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
3 CVEs in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
5

6 total CVEs

CVE-2025-14428medium · 4.3Missing Authorization

My Sticky Elements <= 2.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion

Dec 31, 2025 Patched in 2.3.4 (2d)
CVE-2025-68995medium · 4.3Missing Authorization

My Sticky Elements <= 2.3.3 - Missing Authorization

Dec 25, 2025 Patched in 2.3.4 (13d)
CVE-2023-51362medium · 5.3Missing Authorization

All-in-one Floating Contact Form – My Sticky Elements <= 2.1.3 - Missing Authorization

Dec 26, 2023 Patched in 2.1.4 (28d)
CVE-2023-3248medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All-in-one Floating Contact Form <= 2.1.1 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Jul 3, 2023 Patched in 2.1.2 (204d)
CVE-2023-0487high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

My Sticky Elements <= 2.0.8 - Authenticated (Admin+) SQL Injection

Feb 9, 2023 Patched in 2.0.9 (348d)
CVE-2022-0148medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All-in-one Floating Contact Form <= 2.0.3 - Reflected Cross-Site Scripting

Jan 10, 2022 Patched in 2.0.4 (743d)
Version History

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Release Timeline

v2.3.4Current
v2.3.32 CVEs
CVE-2025-14428 CVE-2025-68995
v2.3.22 CVEs
CVE-2025-14428 CVE-2025-68995
v2.3.12 CVEs
CVE-2025-14428 CVE-2025-68995
v2.3.02 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.92 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.82 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.72 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.62 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.52 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.42 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.32 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.22 CVEs
CVE-2025-14428 CVE-2025-68995
v2.2.12 CVEs
CVE-2025-14428 CVE-2025-68995
v2.22 CVEs
CVE-2025-14428 CVE-2025-68995
v2.1.92 CVEs
CVE-2025-14428 CVE-2025-68995
v2.1.82 CVEs
CVE-2025-14428 CVE-2025-68995
v2.1.72 CVEs
CVE-2025-14428 CVE-2025-68995
v2.1.62 CVEs
CVE-2025-14428 CVE-2025-68995
v2.1.52 CVEs
CVE-2025-14428 CVE-2025-68995
Code Analysis
Analyzed Mar 16, 2026

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Code Analysis

Dangerous Functions
0
Raw SQL Queries
11
14 prepared
Unescaped Output
97
1556 escaped
Nonce Checks
28
Capability Checks
36
File Operations
6
External Requests
10
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

56% prepared25 total queries

Output Escaping

94% escaped1653 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

7 flows
<email-signup> (admin\email-signup.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Attack Surface

Entry Points15
Unprotected0

AJAX Handlers 15

authwp_ajax_sticky_element_update_statusclass-email-signup.php:47
authwp_ajax_hide_mse_help_ctaclass-help.php:33
authwp_ajax_mystickyelement-social-tabmystickyelements-admin.php:14
authwp_ajax_mystickyelement_delete_db_recordmystickyelements-admin.php:15
authwp_ajax_myStickyelements_intro_popup_actionmystickyelements-admin.php:17
authwp_ajax_mystickyelement_widget_statusmystickyelements-admin.php:18
authwp_ajax_mystickyelement_widget_renamemystickyelements-admin.php:19
authwp_ajax_mystickyelement_widget_deletemystickyelements-admin.php:20
authwp_ajax_mystickyelements_admin_send_message_to_ownermystickyelements-admin.php:25
authwp_ajax_mystickyelements_plugin_deactivatemystickyelements-admin.php:26
authwp_ajax_my_sticky_elements_bulksmystickyelements-admin.php:29
authwp_ajax_mystickyelements_review_boxmystickyelements-admin.php:31
authwp_ajax_mystickyelements_review_box_messagemystickyelements-admin.php:32
authwp_ajax_mystickyelements_contact_formmystickyelements-front.php:14
noprivwp_ajax_mystickyelements_contact_formmystickyelements-front.php:15
WordPress Hooks 28
actionadmin_enqueue_scriptsclass-help.php:27
actionadmin_footerclass-help.php:29
actionadmin_enqueue_scriptsclass-review-box.php:84
actionadmin_noticesclass-review-box.php:85
actionadmin_noticesclass-upgrade-box.php:8
actionadmin_noticesincludes\class-affiliate.php:9
actionadmin_menumystickyelements-admin.php:9
actionplugins_loadedmystickyelements-admin.php:10
actionadmin_enqueue_scriptsmystickyelements-admin.php:11
actionadmin_headmystickyelements-admin.php:12
actionadmin_initmystickyelements-admin.php:13
actionadmin_footermystickyelements-admin.php:23
actionwp_enqueue_scriptsmystickyelements-front.php:11
actionwp_footermystickyelements-front.php:12
actionactivated_pluginmystickyelements.php:25
actionadmin_initmystickyelements.php:53
actionadmin_menumystickyelements.php:72
actionadmin_initmystickyelements.php:73
actionadmin_initmystickyelements.php:74
actionadmin_enqueue_scriptsmystickyelements.php:75
actionadmin_initmystickyelements.php:3672
actionadmin_initmystickyelements.php:3686
actionwp_headmystickyelements.php:3700
actionwp_enqueue_scriptsmystickyelements.php:3701
actionwp_footermystickyelements.php:3702
actionadmin_noticesmystickyelements.php:3704
actionadmin_initmystickyelements.php:3708
actionadmin_footermystickyelements.php:3821
Maintenance & Trust

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 9, 2026
PHP min version
Downloads932K

Community Trust

Rating98/100
Number of ratings541
Active installs40K
Alternatives

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Alternatives

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons

sticky-chat-widget

A
100

Social chat buttons with WhatsApp, Messenger, WeChat, Telegram, Instagram, TikTok, Zalo & more — plus SMS, Call button, Contact form, and 20+ icons.

10K 1 CVE
RaCar Message Me

RaCar Message Me

racar-message-me

A
92

RaCar Message Me allows you to add a customizable button with the social networks you set up.

10 No CVEs
Joinchat

Joinchat

creame-whatsapp-me

A
100

WhatsApp, Messenger, Telegram, Phone call… capture users through their favorite Apps and turn into clients

700K No CVEs
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty

chaty

A
92

WhatsApp chat, Facebook Messenger, Telegram, TikTok, Instagram, Email, Line, WeChat Phone call, SMS, 20+ live chat icons & WhatsApp chat pop up 💬

400K 11 CVEs
Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

bit-assist

A
95

Floating sticky chat button for WhatsApp Chat, Facebook Messenger, Telegram, Instagram, SMS, Call, Discord chat, TikTok, Line & 30+ channels

10K 7 CVEs
Developer Profile

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Developer Profile

Premio

9 plugins · 651K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
168 days
View full developer profile
Detection Fingerprints

How We Detect All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mystickyelements/assets/css/style.css/wp-content/plugins/mystickyelements/assets/js/frontend.js/wp-content/plugins/mystickyelements/assets/js/backend.js
Script Paths
/wp-content/plugins/mystickyelements/assets/js/frontend.js/wp-content/plugins/mystickyelements/assets/js/backend.js
Version Parameters
mystickyelements/assets/css/style.css?ver=mystickyelements/assets/js/frontend.js?ver=mystickyelements/assets/js/backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
mystickyelements-container
HTML Comments
<!-- myStickyElements Element Widget --><!-- myStickyElements Element Widget Options -->
Data Attributes
data-mystickyelements-iddata-mystickyelements-type
JS Globals
mystickyelements_frontend_optionsmystickyelements_backend_options
REST Endpoints
/wp-json/mystickyelements/v1/settings
FAQ

Frequently Asked Questions about All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements