WP CTA Plugin Vulnerable to Unauthenticated Time-Based Blind SQL Injection (CVE-2026-4661)
The WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in versions up to and including 2.2.2. This vulnerability is due to insufficient escaping of user-supplied column names and lack of preparation in database queries. Unauthenticated attackers can exploit this by injecting arbitrary SQL queries to extract sensitive information, including administrator password hashes, from the database.
The "WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales" plugin for WordPress contains a critical vulnerability, CVE-2026-4661, affecting all versions up to and including 2.2.2. This flaw allows unauthenticated attackers to perform time-based blind SQL Injection due to insufficient sanitization of the fildname parameter within the ajaxCheck() method and a lack of proper prepared statements in the $wpdb->update() call. Compounding the issue, the vulnerable endpoint is accessible to unauthenticated users via wp_ajax_nopriv_ and lacks any authorization checks. This means threat actors can remotely inject arbitrary SQL queries into the site's database, allowing them to extract sensitive information, including administrator password hashes, without requiring any prior authentication or user interaction. Exploitation of this vulnerability could lead to full site compromise and data exfiltration.
Attack Chain
- An unauthenticated attacker identifies a WordPress instance running the vulnerable "WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales" plugin.
- The attacker sends an HTTP POST request to the
wp-admin/admin-ajax.phpendpoint, specifyingaction=cta_ajax_checkto invoke the vulnerable function. - The attacker injects a time-based blind SQL injection payload into the
fildnameparameter within the POST request. - The server processes the malicious SQL query embedded in
fildname, causing a noticeable delay in the HTTP response due to functions likeSLEEP()orBENCHMARK(). - By observing these time delays, the attacker iteratively infers database schema information, including table names and column names.
- The attacker crafts subsequent time-based payloads to progressively extract sensitive data, such as entries from the
wp_userstable. - Specifically, the attacker targets and extracts administrator password hashes, potentially enabling offline cracking or credential stuffing attacks.
- Successful exploitation culminates in the exfiltration of sensitive database contents and potential full administrative control over the WordPress site.
Impact
Successful exploitation of CVE-2026-4661 allows unauthenticated attackers to extract arbitrary sensitive data directly from the WordPress database. The most critical impact is the potential exfiltration of administrator password hashes, which can then be used to gain full control over the compromised website. This could lead to website defacement, injection of malicious content, complete data loss, or further exploitation of site visitors. Organizations using the vulnerable plugin face significant risks of data breaches, reputational damage, and operational disruption. The unauthenticated nature of the vulnerability means any exposed WordPress site running the plugin is a potential target.
Recommendation
- Patch CVE-2026-4661 by updating the "WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales" plugin to a version greater than 2.2.2 immediately.
- Deploy the Sigma rule in this brief to your SIEM and tune for your environment to detect exploitation attempts against CVE-2026-4661.
- Review web server logs for suspicious HTTP POST requests to
/wp-admin/admin-ajax.phpcontaining SQL injection payloads in thefildnameparameter as described in the attack chain.
Detection coverage 1
Detects CVE-2026-4661 Exploitation - WP CTA Plugin Time-Based Blind SQLi
highDetects exploitation attempts against CVE-2026-4661, an unauthenticated time-based blind SQL Injection vulnerability in the WP CTA WordPress plugin, by looking for SQLi payloads in the 'fildname' parameter of POST requests to admin-ajax.php.
Detection queries are available on the platform. Get full rules →