CVE-2026-4661
Blendmedia · WP CTA – Call Now Button, Sticky Button & Call to Action Builder
The WP CTA plugin for WordPress is susceptible to time-based blind SQL Injection via the 'fildname' parameter.
Executive summary
A time-based blind SQL injection vulnerability in the WP CTA WordPress plugin allows unauthenticated attackers to extract sensitive information from the underlying database.
Vulnerability
The plugin contains a vulnerability in the 'fildname' parameter, which fails to properly sanitize user input, allowing for time-based blind SQL injection (CWE-89). This can be executed by an unauthenticated attacker.
Business impact
SQL injection vulnerabilities allow attackers to query the database, potentially exposing sensitive customer data, configuration details, or authentication credentials. Given the CVSS score of 7.5, this is a high-severity issue that could lead to significant data exfiltration.
Remediation
Immediate Action: Update the WP CTA plugin to the latest version immediately to patch the vulnerable parameter handling.
Proactive Monitoring: Use a database activity monitor to identify slow or unusual queries that may indicate automated SQL injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block common SQL injection patterns and filter malicious input in HTTP requests.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Because this vulnerability is exploitable by unauthenticated users, it presents a significant risk to any site utilizing this plugin. Administrators should apply the vendor-provided security update without delay to prevent potential database compromise.