CVE-2026-4661

Blendmedia · WP CTA – Call Now Button, Sticky Button & Call to Action Builder

The WP CTA plugin for WordPress is susceptible to time-based blind SQL Injection via the 'fildname' parameter.

Executive summary

A time-based blind SQL injection vulnerability in the WP CTA WordPress plugin allows unauthenticated attackers to extract sensitive information from the underlying database.

Vulnerability

The plugin contains a vulnerability in the 'fildname' parameter, which fails to properly sanitize user input, allowing for time-based blind SQL injection (CWE-89). This can be executed by an unauthenticated attacker.

Business impact

SQL injection vulnerabilities allow attackers to query the database, potentially exposing sensitive customer data, configuration details, or authentication credentials. Given the CVSS score of 7.5, this is a high-severity issue that could lead to significant data exfiltration.

Remediation

Immediate Action: Update the WP CTA plugin to the latest version immediately to patch the vulnerable parameter handling.

Proactive Monitoring: Use a database activity monitor to identify slow or unusual queries that may indicate automated SQL injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block common SQL injection patterns and filter malicious input in HTTP requests.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Because this vulnerability is exploitable by unauthenticated users, it presents a significant risk to any site utilizing this plugin. Administrators should apply the vendor-provided security update without delay to prevent potential database compromise.