WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales <= 2.1.2 - Missing Authorization
Description
The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.1.2What Changed in the Fix
Changes introduced in v2.1.3
Source Code
WordPress.org SVN# CVE-2026-22459 - WP CTA – Sticky CTA Builder Missing Authorization Research Plan ## 1. Vulnerability Summary The **WP CTA – Sticky CTA Builder** plugin (versions <= 2.1.2) is vulnerable to unauthorized data modification due to missing capability checks on several AJAX and initialization handlers.…
Show full research plan
CVE-2026-22459 - WP CTA – Sticky CTA Builder Missing Authorization Research Plan
1. Vulnerability Summary
The WP CTA – Sticky CTA Builder plugin (versions <= 2.1.2) is vulnerable to unauthorized data modification due to missing capability checks on several AJAX and initialization handlers. While some functions like processPages contain a current_user_can('manage_options') check, others registered via the same nopriv loop or the init hook lack proper authorization. Specifically, the handle_settings function in inc/ClassAdminOptions.php updates the plugin's core configuration and is accessible to any user who can obtain the required WordPress nonce, as it fails to verify user capabilities.
2. Attack Vector Analysis
- Endpoints:
- Generic Initialization: The
inithook ininc/ClassAdminOptions.phpcallshandle_settings(). - AJAX:
admin-ajax.phpwith actionsprocess_pages,ajax_check, orvalidate_data.
- Generic Initialization: The
- Payload Parameters:
action:process_pages(AJAX) or direct POST to any page (forinithook)._wpnonce: The security token (localized or found in forms).easy_sticky_sidebar_settings: Array of settings to overwrite (viahandle_settings).
- Authentication: Unauthenticated (if nonce is obtained
Summary
The WP CTA plugin is vulnerable to unauthorized data modification because it lacks capability checks in the `handle_settings` function and several AJAX handlers. This allows unauthenticated attackers who obtain a valid nonce to overwrite core plugin settings or manipulate Call To Action (CTA) configurations.
Vulnerable Code
// inc/ClassAdminOptions.php L30-47 public function __construct() { add_action('admin_menu', array($this, 'addSubmenuPages')); $this->handle_cta_action(); add_action('admin_footer', [$this, 'pro_feature_popup']); add_action('admin_footer', [$this, 'load_design_template_popup']); add_action('init', [$this, 'handle_settings']); } function handle_settings() { $post_data = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS); if (!isset($post_data['_wpnonce'])) { return; } if (!wp_verify_nonce($post_data['_wpnonce'], '_nonce_easy_sticky_sidebar_settings')) { return; } unset($post_data['_wpnonce'], $post_data['_wp_http_referer'], $post_data['submit']); $settings_data = apply_filters('easy_sticky_sidebar_settings_post_data', $post_data); update_option('easy_sticky_sidebar_settings', $settings_data); $generate = new Easy_Sticky_CTA_Generate_CSS(); $generate->generate_style(); } --- // inc/ClassActions.php L14-17 function __construct() { foreach ($this->AjaxActions() as $key => $action) { add_action("wp_ajax_{$action['name']}", [$this, $action['callback']]); add_action("wp_ajax_nopriv_{$action['name']}", [$this, $action['callback']]); } // ...
Security Fix
@@ -34,6 +34,10 @@ function handle_settings() { $post_data = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS); + if (!current_user_can('manage_options')) { + return; + } + if (!isset($post_data['_wpnonce'])) { return; } @@ -12,7 +12,6 @@ function __construct() { foreach ($this->AjaxActions() as $key => $action) { add_action("wp_ajax_{$action['name']}", [$this, $action['callback']]); - add_action("wp_ajax_nopriv_{$action['name']}", [$this, $action['callback']]); } // Fixed: Removed wp_ajax_nopriv_ hooks for security
Exploit Outline
An attacker can exploit this vulnerability by performing the following steps: 1. Obtain a valid WordPress nonce for the action `_nonce_easy_sticky_sidebar_settings` (which may be found in the plugin's settings page if accessible or through other information leaks). 2. Construct a POST request to any site endpoint (triggering the `init` hook) containing the parameter `easy_sticky_sidebar_settings` with arbitrary configuration values and the valid `_wpnonce` token. 3. The `handle_settings` function will execute because it lacks a `current_user_can('manage_options')` check, effectively overwriting the plugin's global options in the `wp_options` table. 4. Alternatively, use `admin-ajax.php` with the `process_pages`, `ajax_check`, or `validate_data` actions, which are incorrectly registered for unauthenticated users via the `nopriv_` loop.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.