CVE-2025-14428

Step 1: Authentication: The attacker authenticates to the WordPress site with a valid user account, at a Subscriber level or higher. Step 2: Payload Construction: The attacker crafts a malicious request targeting the my_sticky_elements_bulks function. This request likely includes parameters specifying the deletion action. Step 3: Request Submission: The attacker submits the crafted request to the vulnerable WordPress site. Step 4: Function Execution: The my_sticky_elements_bulks function is executed. Because of the missing capability check, the function proceeds without verifying the user's permissions. Step 5: Data Deletion: The function deletes all contact form leads stored by the plugin, as specified in the attacker's request. Step 6: Confirmation (Optional): The attacker may receive confirmation of the deletion, or the impact may be observed through the absence of leads in the plugin's interface.

The vulnerability lies within the my_sticky_elements_bulks function of the My Sticky Elements plugin. This function, responsible for bulk actions related to contact form leads, lacks a proper capability check. This means the function does not verify if the user has the necessary permissions (e.g., manage_options, edit_posts) before executing actions that modify or delete data. The absence of this check allows any authenticated user with Subscriber-level privileges or higher to trigger the function and delete all stored leads. The root cause is a privilege escalation vulnerability due to insufficient access control.