Attack Vectors

CVE-2026-3657 is a High severity vulnerability (CVSS 7.5) affecting My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) (slug: mystickymenu) in versions up to and including 2.8.6.

The issue can be exploited remotely by unauthenticated attackers over the network via the plugin’s stickymenu_contact_lead_form AJAX action, allowing crafted requests to reach WordPress’s public AJAX endpoint (commonly admin-ajax.php) without needing a valid login.

Because the attack does not require user interaction and can be automated, it may be used in opportunistic scanning campaigns against sites running vulnerable versions.

Security Weakness

The vulnerability is an unauthenticated SQL injection condition triggered when the AJAX handler uses attacker-controlled POST parameter names directly as SQL column identifiers in $wpdb->insert().

While the handler applies sanitization to parameter values (including esc_sql() and sanitize_text_field()), the parameter keys are used as-is to build the INSERT statement’s column list. This creates an opening for attackers to inject SQL through crafted parameter names, enabling blind, time-based techniques to extract data.

Reference: CVE-2026-3657. Public reporting and remediation guidance are also documented by Wordfence: Wordfence Vulnerability Entry.

Technical or Business Impacts

With a CVSS vector indicating high confidentiality impact (C:H), this weakness primarily raises the risk of unauthorized data exposure. Even when attackers can’t directly “dump” data in a single response, blind time-based techniques can still be used to infer sensitive information over repeated requests.

From a business perspective, the biggest risks include:

Compliance and privacy exposure: If customer, lead, or operational data is accessible via the database, it can trigger incident response obligations and regulatory scrutiny (depending on your data and jurisdiction).

Brand and campaign performance risk: Marketing sites are high-visibility assets. A security incident can disrupt lead capture, reduce conversion rates, and erode trust with prospects and partners.

Operational cost: Even without obvious downtime, investigations, emergency patching, forensic support, and stakeholder communications can become expensive and time-consuming.

Remediation: Update My Sticky Bar to version 2.8.7 or a newer patched release to address this High severity issue.

Similar Attacks

SQL injection has been repeatedly linked to serious, real-world security incidents across industries. Examples include:

TalkTalk (2015) cyberattack — widely reported as involving SQL injection, leading to significant operational, financial, and reputational impact.

Heartland Payment Systems (2008) data breach — commonly cited as an example of large-scale compromise where SQL injection played a role in initial access.