WP-Safety

Sticky Security & Risk Analysis

wordpress.org/plugins/sticky

Adds sticky support for pages and/or custom posts.

70 active installs v2.5.6 PHP + WP 3.6+ Updated Jan 26, 2022
pagesstickywidget
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEMay 19, 2026
Plugin page Download
Safety Verdict

Is Sticky Safe to Use in 2026?

Use With Caution

Score 63/100

Sticky has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: May 19, 2026Updated 4yr ago
Risk Assessment

The "sticky" plugin v2.5.6 exhibits a generally strong security posture based on the provided static analysis. The plugin successfully utilizes prepared statements for its SQL queries, has no identified dangerous functions, file operations, or external HTTP requests. Furthermore, it implements nonce and capability checks, indicating an effort to protect its entry points. Taint analysis also shows no critical or high-severity unsanitized flows.

However, a notable concern arises from the output escaping. With 49 total outputs and only 24% properly escaped, a significant portion of the plugin's output is potentially vulnerable to Cross-Site Scripting (XSS) attacks. This lack of robust output sanitization represents the primary risk identified in the code analysis. The absence of any known vulnerabilities in its history is positive, suggesting a history of responsible development, but it does not negate the current risks identified in the static analysis.

In conclusion, while the plugin demonstrates good practices in areas like SQL sanitization and authentication checks, the high percentage of unescaped output presents a tangible security weakness. Developers should prioritize addressing the output escaping issues to mitigate potential XSS vulnerabilities.

Key Concerns

  • Insufficient output escaping (24% proper)
Vulnerabilities
1 published

Sticky Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-6397medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sticky <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute

May 19, 2026Unpatched
Version History

Sticky Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

Sticky Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
37
12 escaped
Nonce Checks
1
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

24% escaped49 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<settings> (includes\settings.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Sticky Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[cvmh-sticky] includes\shortcode.php:4
WordPress Hooks 11
actionadmin_menuincludes\admin.php:7
actionadmin_enqueue_scriptsincludes\admin.php:15
filterplugin_action_links_sticky/sticky.phpincludes\admin.php:79
actionplugins_loadedsticky.php:16
actionplugins_loadedsticky.php:25
actionplugins_loadedsticky.php:30
actionplugins_loadedsticky.php:35
actionwidgets_initsticky.php:46
actionwp_enqueue_scriptssticky.php:48
actionadmin_enqueue_scriptssticky.php:51
actioncustomize_controls_enqueue_scriptssticky.php:52
Maintenance & Trust

Sticky Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedJan 26, 2022
PHP min version
Downloads7K

Community Trust

Rating100/100
Number of ratings2
Active installs70
Alternatives

Sticky Alternatives

Sticky Menu & Sticky Header

Sticky Menu & Sticky Header

sticky-menu-or-anything-on-scroll

A
100

Sticky Menu or Sticky Header sticks elements at the top of the screen when you scroll, or create a floating sticky menu or fixed widget.

100K 1 CVE
Fixed Widget and Sticky Elements for WordPress

Fixed Widget and Sticky Elements for WordPress

q2w3-fixed-widget

A
85

More attention and a higher ad performance with fixed sticky widgets.

90K No CVEs
Widgets on Pages

Widgets on Pages

widgets-on-pages

A
92

The easiest and highest rated way to Add Widgets or Sidebars to Posts and Pages using Visual editor, shortcodes or template tags.

20K 1 CVE
Essential Widgets

Essential Widgets

essential-widgets

A
98

Essential Widgets is a WordPress plugin for widgets that allows you to create and add amazing widgets with high customization option

10K 2 CVEs
Ultimate Posts Widget

Ultimate Posts Widget

ultimate-posts-widget

A
92

The ultimate widget for displaying posts, custom post types or sticky posts with an array of options.

10K 1 CVE
Developer Profile

Sticky Developer Profile

cvmh

5 plugins · 180 total installs

81
trust score
Avg Security Score
81/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Sticky

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sticky/assets/css/admin.css/wp-content/plugins/sticky/assets/js/admin.js/wp-content/plugins/sticky/assets/css/front.css/wp-content/plugins/sticky/assets/js/front.js
Script Paths
/wp-content/plugins/sticky/assets/js/admin.js/wp-content/plugins/sticky/assets/js/front.js
Version Parameters
sticky/assets/css/admin.css?ver=sticky/assets/js/admin.js?ver=sticky/assets/css/front.css?ver=sticky/assets/js/front.js?ver=

HTML / DOM Fingerprints

CSS Classes
cvmh-sticky-admin-style
Data Attributes
data-sticky-visibility
JS Globals
sticky
Shortcode Output
<div class="cvmh-sticky-posts">
FAQ

Frequently Asked Questions about Sticky