<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Time-Based-Blind - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/time-based-blind/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 07:22:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/time-based-blind/feed.xml" rel="self" type="application/rss+xml"/><item><title>WP CTA Plugin Vulnerable to Unauthenticated Time-Based Blind SQL Injection (CVE-2026-4661)</title><link>https://feed.craftedsignal.io/briefs/2026-07-wp-cta-sql-injection/</link><pubDate>Sat, 11 Jul 2026 07:22:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wp-cta-sql-injection/</guid><description>The WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in versions up to and including 2.2.2. This vulnerability is due to insufficient escaping of user-supplied column names and lack of preparation in database queries. Unauthenticated attackers can exploit this by injecting arbitrary SQL queries to extract sensitive information, including administrator password hashes, from the database.</description><content:encoded><![CDATA[<p>The &quot;WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales&quot; plugin for WordPress contains a critical vulnerability, CVE-2026-4661, affecting all versions up to and including 2.2.2. This flaw allows unauthenticated attackers to perform time-based blind SQL Injection due to insufficient sanitization of the <code>fildname</code> parameter within the <code>ajaxCheck()</code> method and a lack of proper prepared statements in the <code>$wpdb-&gt;update()</code> call. Compounding the issue, the vulnerable endpoint is accessible to unauthenticated users via <code>wp_ajax_nopriv_</code> and lacks any authorization checks. This means threat actors can remotely inject arbitrary SQL queries into the site's database, allowing them to extract sensitive information, including administrator password hashes, without requiring any prior authentication or user interaction. Exploitation of this vulnerability could lead to full site compromise and data exfiltration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress instance running the vulnerable &quot;WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales&quot; plugin.</li>
<li>The attacker sends an HTTP POST request to the <code>wp-admin/admin-ajax.php</code> endpoint, specifying <code>action=cta_ajax_check</code> to invoke the vulnerable function.</li>
<li>The attacker injects a time-based blind SQL injection payload into the <code>fildname</code> parameter within the POST request.</li>
<li>The server processes the malicious SQL query embedded in <code>fildname</code>, causing a noticeable delay in the HTTP response due to functions like <code>SLEEP()</code> or <code>BENCHMARK()</code>.</li>
<li>By observing these time delays, the attacker iteratively infers database schema information, including table names and column names.</li>
<li>The attacker crafts subsequent time-based payloads to progressively extract sensitive data, such as entries from the <code>wp_users</code> table.</li>
<li>Specifically, the attacker targets and extracts administrator password hashes, potentially enabling offline cracking or credential stuffing attacks.</li>
<li>Successful exploitation culminates in the exfiltration of sensitive database contents and potential full administrative control over the WordPress site.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-4661 allows unauthenticated attackers to extract arbitrary sensitive data directly from the WordPress database. The most critical impact is the potential exfiltration of administrator password hashes, which can then be used to gain full control over the compromised website. This could lead to website defacement, injection of malicious content, complete data loss, or further exploitation of site visitors. Organizations using the vulnerable plugin face significant risks of data breaches, reputational damage, and operational disruption. The unauthenticated nature of the vulnerability means any exposed WordPress site running the plugin is a potential target.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-4661 by updating the &quot;WP CTA - Sticky CTA Builder, Generate Leads, Promote Sales&quot; plugin to a version greater than 2.2.2 immediately.</li>
<li>Deploy the Sigma rule in this brief to your SIEM and tune for your environment to detect exploitation attempts against CVE-2026-4661.</li>
<li>Review web server logs for suspicious HTTP POST requests to <code>/wp-admin/admin-ajax.php</code> containing SQL injection payloads in the <code>fildname</code> parameter as described in the attack chain.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>sql-injection</category><category>time-based-blind</category><category>unauthenticated</category><category>web-vulnerability</category></item></channel></rss>