Attack Vectors

CVE-2026-22459 is a Medium-severity vulnerability (CVSS 5.3) affecting the WP CTA – Call Now Button, Sticky Button & Call to Action Builder plugin (also marketed as “WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales”) in versions up to and including 2.1.2.

The issue is described as a missing authorization (capability) check on a plugin function. In practical terms, this means an unauthenticated attacker (no login required) may be able to invoke a plugin action they should not be allowed to perform. Because the CVSS vector indicates network exploitable with no privileges and no user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), this is the kind of exposure that can be probed broadly by automated scans against public-facing WordPress sites.

Security Weakness

The core weakness is missing authorization—the plugin function in affected versions does not properly verify that the requester has the right permission level before executing. WordPress relies heavily on capability checks to ensure only authorized users (typically administrators or editors, depending on the action) can change settings, content, or behavior.

When these checks are absent, attackers can sometimes trigger actions intended only for logged-in administrators. Even if the impact is “limited” (as reflected by the CVSS rating), it still represents a governance and control failure: business-critical website components like call-to-action elements can influence conversions, brand trust, and compliance obligations.

Technical or Business Impacts

Based on the published scoring and summary, the primary impact area is integrity (I:L) rather than data theft or service outage. For marketing leaders and executives, the key risks to consider include:

Campaign and conversion risk: If an attacker can perform unauthorized actions related to CTA behavior or configuration, they may be able to alter on-site prompts, phone/call buttons, or lead-driving elements—potentially reducing conversions, redirecting intent, or creating confusion during active campaigns.

Brand and trust impact: Unauthorized changes to visible on-site CTAs can make the site appear compromised to customers and partners, which can harm brand credibility and increase support load.

Compliance and audit exposure: If your organization has change-control requirements (e.g., for regulated industries or internal governance), a public-facing plugin that permits unauthorized actions can create audit findings, especially if changes are made without authenticated access.

Remediation: Update WP CTA – Call Now Button, Sticky Button & Call to Action Builder to version 2.1.3 or newer (patched). Reference: CVE-2026-22459 and the vendor/community advisory at Wordfence Threat Intelligence.