CVE-2026-3657
Published: 12 March 2026
Summary
CVE-2026-3657 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3657 is a SQL injection vulnerability in the My Sticky Bar plugin for WordPress, affecting all versions up to and including 2.8.6. The flaw exists in the `stickymenu_contact_lead_form` AJAX action handler, which uses attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. Although parameter values are sanitized using `esc_sql()` and `sanitize_text_field()`, the parameter keys are incorporated as-is into the INSERT statement's column list, allowing SQL injection via crafted parameter names. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-89.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity, as it requires no privileges or user interaction. By sending a crafted POST request to the AJAX endpoint with malicious parameter names, attackers can inject SQL payloads into the column list, enabling blind time-based data extraction from the database. This grants high confidentiality impact, potentially allowing exfiltration of sensitive data such as user information stored in WordPress tables.
References to the plugin's source code highlight the vulnerable lines around L2001, L2386, and L2396 in version 2.8.6, with a changeset comparing tags 2.8.6 and 2.8.7 indicating that updating to version 2.8.7 addresses the issue by properly handling parameter keys. Security practitioners should recommend immediate updates for affected WordPress sites using the My Sticky Bar plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11511
Vulnerability details
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column…
more
identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin enables unauthenticated remote exploitation (T1190) and direct blind extraction of database contents (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely remediation of the SQL injection flaw through updating the My Sticky Bar plugin to version 2.8.7, which fixes improper handling of POST parameter keys.
Requires validation and sanitization of all inputs, including attacker-controlled POST parameter names, to prevent their direct use as SQL column identifiers in database insert statements.
Enables vulnerability scanning to identify SQL injection flaws like CVE-2026-3657 in WordPress plugins, facilitating proactive patching before exploitation.