My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Security & Risk Analysis

Create a welcome notification bar for your website. Also, My Sticky Bar plugin can make your menu or header sticky to the top when scrolled 📌

100K active installs v2.8.7 PHP + WP 3.5.1+ Updated Mar 11, 2026

floating-barnotification-barsticky-barsticky-headersticky-menu

A · Safe

CVEs total6

Unpatched0

Last CVEMar 11, 2026

Plugin page Download

Safety Verdict

Is My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Safe to Use in 2026?

Generally Safe

Score 92/100

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Mar 11, 2026Updated 23d ago

Risk Assessment

The plugin "mystickymenu" v2.8.7 presents a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of SQL queries using prepared statements and a substantial amount of output properly escaped. The absence of critical or high severity taint analysis findings and the fact that all known CVEs are currently patched are also strong indicators of a relatively secure codebase in its current state. The presence of numerous nonce and capability checks further reinforces this.

However, there are notable concerns. The plugin exposes a significant attack surface with 13 AJAX handlers, two of which lack any authentication checks. This is a direct entry point for potential unauthorized actions. While the vulnerability history shows no currently unpatched issues, the plugin has a history of six CVEs, including one high, four medium, and one low severity vulnerability. The types of past vulnerabilities (SQL Injection, CSRF, Missing Authorization, XSS) suggest a pattern of common web security weaknesses that, while addressed, indicate areas where the plugin has historically struggled. The presence of bundled libraries, like Select2, could also introduce risks if not maintained and updated independently.

In conclusion, while the immediate threat from unpatched vulnerabilities is low, the plugin's historical pattern and the presence of unprotected AJAX endpoints warrant caution. Developers should prioritize securing the remaining unauthenticated AJAX handlers and maintain vigilance regarding the security of bundled libraries. The past incidents highlight the need for ongoing security testing and code review.

Key Concerns

2 unprotected AJAX handlers
History of 6 CVEs (1 high, 4 medium)
Bundled library (Select2)

Vulnerabilities

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

1 CVE in 2023

2023

3 CVEs in 2024

2024

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

Low

6 total CVEs

CVE-2026-3657high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action

Mar 11, 2026 Patched in 2.8.7 (1d)

CVE-2024-7133medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

My Sticky Bar <= 2.7.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Aug 23, 2024 Patched in 2.7.3 (43d)

CVE-2024-4090medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

My Sticky Bar (formerly myStickymenu) <= 2.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 11, 2024 Patched in 2.7.2 (30d)

CVE-2023-7048low · 3.1Cross-Site Request Forgery (CSRF)

My Sticky Bar <= 2.6.6 - Cross-Site Request Forgery to Sensitive Information Exposure

Jan 3, 2024 Patched in 2.6.7 (209d)

CVE-2023-5509medium · 6.3Missing Authorization

myStickymenu <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Lead Deletion

Oct 27, 2023 Patched in 2.6.5 (88d)

CVE-2021-24425medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

myStickymenu <= 2.5.1 - Authenticated Stored Cross-Site Scripting

Jun 21, 2021 Patched in 2.5.2 (946d)

Code Analysis

Analyzed Mar 16, 2026

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Code Analysis

Dangerous Functions

Raw SQL Queries

14 prepared

Unescaped Output

1103 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

74% prepared19 total queries

Output Escaping

94% escaped1169 total outputs

Data Flows

All sanitized

Data Flow Analysis

5 flows

<email-signup> (admin\email-signup.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Attack Surface

Entry Points13

Unprotected2

AJAX Handlers 13

authwp_ajax_sticky_menu_update_statusclass-email-signup.php:47

authwp_ajax_mystickymenu_update_popup_statusmystickymenu.php:49

authwp_ajax_mystickymenu_plugin_deactivatemystickymenu.php:51

authwp_ajax_stickymenu_widget_deletemystickymenu.php:52

authwp_ajax_mystickymenu_widget_statusmystickymenu.php:53

authwp_ajax_stickymenu_status_updatemystickymenu.php:54

authwp_ajax_mystickymenu_delete_contact_leadmystickymenu.php:55

authwp_ajax_my_sticky_menu_bulksmystickymenu.php:56

authwp_ajax_mystickymenu_admin_send_message_to_ownermystickymenu.php:58

authwp_ajax_mystickymenu_review_boxmystickymenu.php:60

authwp_ajax_mystickymenu_review_box_messagemystickymenu.php:61

authwp_ajax_stickymenu_contact_lead_formmystickymenu.php:2000

noprivwp_ajax_stickymenu_contact_lead_formmystickymenu.php:2001

WordPress Hooks 21

actionadmin_enqueue_scriptsclass-help.php:27

actionadmin_footerclass-help.php:29

actionadmin_enqueue_scriptsclass-review-box.php:85

actionadmin_noticesclass-review-box.php:86

actionadmin_noticesclass-upgrade-box.php:11

actionadmin_menumystickymenu.php:42

actionadmin_initmystickymenu.php:43

actionadmin_initmystickymenu.php:44

actionadmin_headmystickymenu.php:45

actionadmin_enqueue_scriptsmystickymenu.php:46

actionactivated_pluginmystickymenu.php:48

actionadmin_footermystickymenu.php:50

actionadmin_initmystickymenu.php:62

actionwp_headmystickymenu.php:1997

actionwp_enqueue_scriptsmystickymenu.php:1998

actionadmin_initmystickymenu.php:2442

actionadmin_initmystickymenu.php:2499

actionadmin_footermystickymenu.php:2501

actionadmin_print_footer_scriptswelcome-bar.php:224

actionwp_footerwelcome-bar.php:1616

actionwp_headwelcome-bar.php:2580

Maintenance & Trust

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version

Downloads3.9M

Community Trust

Rating98/100

Number of ratings1,191

Active installs100K

Alternatives

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Alternatives

Oh My Bar

oh-my-bar

100

Oh My Bar is a WordPress plugin that creates a reading progress bar on top/bottom of the site that helps users to understand that how far they're …

0 No CVEs

Sticky Menu & Sticky Header

sticky-menu-or-anything-on-scroll

100

Sticky Menu or Sticky Header sticks elements at the top of the screen when you scroll, or create a floating sticky menu or fixed widget.

100K 1 CVE

Announcer – Sticky Message Banner & Notification Bar

announcer

Add customizable WordPress notification bar to display announcements, promotions, coupons, or news at the top or bottom of your website.

10K 1 CVE

Advanced Floating Content Lite

advanced-floating-content-lite

Create high-impact floating content that stays visible without annoying visitors. Perfect for announcements, CTAs, and promotions.

8K 2 CVEs

All-in-One Sticky Anything – Fixed Widget, Sticky Header, Menu, Sidebar, Social Icons & Cookie Consent

all-in-one-wp-sticky-anything

100

All-in-One Sticky Anything easily creates fixed widgets, sticky elements, sticky header, menu, sidebar, social icons & cookie consent on your website.

1K No CVEs

Developer Profile

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Developer Profile

Premio

9 plugins · 651K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

168 days

View full developer profile

Detection Fingerprints

How We Detect My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/mystickymenu/admin/css/mystickymenu-backend.css/wp-content/plugins/mystickymenu/admin/css/mystickymenu-welcomebar.css/wp-content/plugins/mystickymenu/admin/js/mystickymenu-backend.js/wp-content/plugins/mystickymenu/admin/js/mystickymenu-welcomebar.js

Script Paths

/wp-content/plugins/mystickymenu/admin/js/mystickymenu-backend.js/wp-content/plugins/mystickymenu/admin/js/mystickymenu-welcomebar.js

Version Parameters

mystickymenu/admin/css/mystickymenu-backend.css?ver=mystickymenu/admin/css/mystickymenu-welcomebar.css?ver=mystickymenu/admin/js/mystickymenu-backend.js?ver=mystickymenu/admin/js/mystickymenu-welcomebar.js?ver=

HTML / DOM Fingerprints

CSS Classes

mystickymenu-containermystickymenu-buttonmysticky-menu-element

HTML Comments

Data Attributes

data-mystickymenu-iddata-mystickymenu-targetdata-mystickymenu-offset

JS Globals

MyStickyMenuBackendVarsmystickymenu_vars

REST Endpoints

/wp-json/mystickymenu/v1/settings/wp-json/mystickymenu/v1/welcomebar

Shortcode Output

[mysticky_menu][mysticky_welcomebar]

FAQ