CVE-2026-3657
published 2026-03-12CVE-2026-3657: The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including…
PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.34%
25.6th percentile
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | loadninja_plugin | — | — |
| premio | my_sticky_bar_floating_notification_bar_sticky_header | <= 2.8.6 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
ghsa·2026-04-22
CVE-2026-33471 [CRITICAL] CWE-190 nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
### Impact
`SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot lookup. If an attacker can get a `SkipBlockProof` verified where `MultiSignature.signers` contains out-of-range indices spaced by 65536, these indices inflate `len()` but collide onto the same in-range `u16` slot during aggregation.
This makes it possible for a malicious validator with far fewer than `2f+1` real signer slots to pass skip block proof verification by multiplying a single BLS signature by the same factor.
### Patches
[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3657) is in
GHSA
GHSA-pvwh-rjjc-mwgp: The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and in
ghsa_unreviewed·2026-03-12
CVE-2026-3657 [HIGH] CWE-89 GHSA-pvwh-rjjc-mwgp: The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and in
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
VulnCheck
premio my_sticky_bar Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2026·CVSS 7.5
CVE-2026-3657 [HIGH] premio my_sticky_bar Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
premio my_sticky_bar Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
Affected: Premio My Sticky Bar
Required Action: Apply remediations or
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2001https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2386https://plugins.trac.wordpress.org/browser/mystickymenu/tags/2.8.6/mystickymenu.php#L2396https://plugins.trac.wordpress.org/browser/mystickymenu/trunk/mystickymenu.php#L2386https://plugins.trac.wordpress.org/changeset?old_path=/mystickymenu/tags/2.8.6&new_path=/mystickymenu/tags/2.8.7https://www.wordfence.com/threat-intel/vulnerabilities/id/05d633f5-151a-4462-a6a0-5a638d7c3404?source=cve
2026-03-12
Published
Exploited in the wild