{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-cta--sticky-cta-builder-generate-leads-promote-sales-plugin--2.2.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4661"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin \u003c= 2.2.2"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","sql-injection","time-based-blind","unauthenticated","web-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe \u0026quot;WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales\u0026quot; plugin for WordPress contains a critical vulnerability, CVE-2026-4661, affecting all versions up to and including 2.2.2. This flaw allows unauthenticated attackers to perform time-based blind SQL Injection due to insufficient sanitization of the \u003ccode\u003efildname\u003c/code\u003e parameter within the \u003ccode\u003eajaxCheck()\u003c/code\u003e method and a lack of proper prepared statements in the \u003ccode\u003e$wpdb-\u0026gt;update()\u003c/code\u003e call. Compounding the issue, the vulnerable endpoint is accessible to unauthenticated users via \u003ccode\u003ewp_ajax_nopriv_\u003c/code\u003e and lacks any authorization checks. This means threat actors can remotely inject arbitrary SQL queries into the site's database, allowing them to extract sensitive information, including administrator password hashes, without requiring any prior authentication or user interaction. Exploitation of this vulnerability could lead to full site compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress instance running the vulnerable \u0026quot;WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales\u0026quot; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint, specifying \u003ccode\u003eaction=cta_ajax_check\u003c/code\u003e to invoke the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a time-based blind SQL injection payload into the \u003ccode\u003efildname\u003c/code\u003e parameter within the POST request.\u003c/li\u003e\n\u003cli\u003eThe server processes the malicious SQL query embedded in \u003ccode\u003efildname\u003c/code\u003e, causing a noticeable delay in the HTTP response due to functions like \u003ccode\u003eSLEEP()\u003c/code\u003e or \u003ccode\u003eBENCHMARK()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBy observing these time delays, the attacker iteratively infers database schema information, including table names and column names.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts subsequent time-based payloads to progressively extract sensitive data, such as entries from the \u003ccode\u003ewp_users\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eSpecifically, the attacker targets and extracts administrator password hashes, potentially enabling offline cracking or credential stuffing attacks.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation culminates in the exfiltration of sensitive database contents and potential full administrative control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4661 allows unauthenticated attackers to extract arbitrary sensitive data directly from the WordPress database. The most critical impact is the potential exfiltration of administrator password hashes, which can then be used to gain full control over the compromised website. This could lead to website defacement, injection of malicious content, complete data loss, or further exploitation of site visitors. Organizations using the vulnerable plugin face significant risks of data breaches, reputational damage, and operational disruption. The unauthenticated nature of the vulnerability means any exposed WordPress site running the plugin is a potential target.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-4661 by updating the \u0026quot;WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales\u0026quot; plugin to a version greater than 2.2.2 immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule in this brief to your SIEM and tune for your environment to detect exploitation attempts against CVE-2026-4661.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious HTTP POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e containing SQL injection payloads in the \u003ccode\u003efildname\u003c/code\u003e parameter as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T07:22:06Z","date_published":"2026-07-11T07:22:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wp-cta-sql-injection/","summary":"The WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in versions up to and including 2.2.2. This vulnerability is due to insufficient escaping of user-supplied column names and lack of preparation in database queries. Unauthenticated attackers can exploit this by injecting arbitrary SQL queries to extract sensitive information, including administrator password hashes, from the database.","title":"WP CTA Plugin Vulnerable to Unauthenticated Time-Based Blind SQL Injection (CVE-2026-4661)","url":"https://feed.craftedsignal.io/briefs/2026-07-wp-cta-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales Plugin \u003c= 2.2.2","version":"https://jsonfeed.org/version/1.1"}