Source: security@wordfence.com
The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.
Authenticated attackers with Subscriber-level access can delete all contact form leads stored by the My Sticky Elements WordPress plugin. This vulnerability, stemming from a missing capability check, allows attackers to cause significant data loss, potentially impacting customer relationship management and business operations.
Step 1: Authentication: The attacker authenticates to the WordPress site with a valid user account, at a Subscriber level or higher.
Step 2: Payload Construction: The attacker crafts a malicious request targeting the my_sticky_elements_bulks function. This request likely includes parameters specifying the deletion action.
Step 3: Request Submission: The attacker submits the crafted request to the vulnerable WordPress site.
Step 4: Function Execution: The my_sticky_elements_bulks function is executed. Because of the missing capability check, the function proceeds without verifying the user's permissions.
Step 5: Data Deletion: The function deletes all contact form leads stored by the plugin, as specified in the attacker's request.
Step 6: Confirmation (Optional): The attacker may receive confirmation of the deletion, or the impact may be observed through the absence of leads in the plugin's interface.
The vulnerability lies within the my_sticky_elements_bulks function of the My Sticky Elements plugin. This function, responsible for bulk actions related to contact form leads, lacks a proper capability check. This means the function does not verify if the user has the necessary permissions (e.g., manage_options, edit_posts) before executing actions that modify or delete data. The absence of this check allows any authenticated user with Subscriber-level privileges or higher to trigger the function and delete all stored leads. The root cause is a privilege escalation vulnerability due to insufficient access control.
While no specific APTs are immediately linked, this vulnerability is attractive to a wide range of attackers, including those seeking to disrupt operations, conduct espionage, or cause financial harm. The impact of data loss makes this a high-priority target. CISA KEV status is highly probable if the vulnerability is actively exploited.
Monitor WordPress access logs for suspicious activity, particularly requests targeting the my_sticky_elements_bulks function.
Analyze HTTP request logs for POST requests with parameters related to bulk actions within the My Sticky Elements plugin.
Implement file integrity monitoring to detect unauthorized modifications to plugin files.
Monitor database activity for unexpected deletions or modifications of data related to contact form leads.
Network Intrusion Detection Systems (NIDS) can be configured to detect malicious requests based on known exploit patterns or signatures.
Update the My Sticky Elements plugin to version 2.3.4 or later, which includes a fix for this vulnerability.
Implement a Web Application Firewall (WAF) to filter malicious requests targeting the vulnerable function.
Review and enforce the principle of least privilege for all WordPress user accounts. Limit the number of users with elevated privileges.
Regularly back up the WordPress database and website files to enable data recovery in case of a successful attack.
Conduct regular security audits and penetration testing to identify and address vulnerabilities.
Implement a security plugin to monitor for suspicious activity and provide additional security features.