CVE-2023-7048: CWE-352 Cross-Site Request Forgery (CSRF) in galdub Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window of time before it is automatically deleted by the export function.
AI Analysis
Technical Summary
CVE-2023-7048 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin 'My Sticky Bar' (formerly known as myStickymenu), developed by galdub. This plugin provides features such as a floating notification bar, sticky menu on scroll, announcement banner, and sticky header for any WordPress theme. The vulnerability exists in all versions up to and including 2.6.6 due to missing or incorrect nonce validation in the mystickymenu-contact-leads.php file. Nonce validation is a security mechanism used to ensure that requests are legitimate and initiated by authorized users. The absence or improper implementation of this validation allows an unauthenticated attacker to craft a malicious request that tricks an authenticated site administrator into performing an unintended action, specifically triggering the export of a CSV file containing contact leads. The exported CSV file is temporarily stored in a publicly accessible location before being automatically deleted shortly after. During this brief window, an attacker can download sensitive contact lead data, potentially exposing personal or business information. The vulnerability requires user interaction (the administrator must be tricked into clicking a link), and no prior authentication is needed for the attacker to initiate the forged request. The CVSS v3.1 base score is 3.1, indicating a low severity primarily due to the high attack complexity and requirement for user interaction, as well as the limited confidentiality impact. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability falls under CWE-352, which covers CSRF attacks where unauthorized commands are transmitted from a user that the web application trusts.
Potential Impact
For European organizations using WordPress websites with the My Sticky Bar plugin, this vulnerability could lead to unauthorized disclosure of contact lead information, which may include personal data protected under GDPR. Although the exposure window is short and the attack requires tricking an administrator, the leakage of contact leads can result in privacy violations, reputational damage, and potential regulatory penalties. The impact is primarily on confidentiality, with no direct effect on data integrity or availability. Organizations that rely on this plugin for marketing or customer engagement may face risks of data leakage to unauthorized parties, which could be exploited for phishing or social engineering attacks. The low CVSS score reflects the limited scope and complexity, but the sensitivity of contact lead data in European jurisdictions elevates the importance of addressing this vulnerability promptly.
Mitigation Recommendations
European organizations should immediately verify if their WordPress installations use the My Sticky Bar plugin and identify the version in use. Until an official patch is released, administrators should consider disabling the plugin or restricting administrative access to trusted networks to reduce exposure. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the mystickymenu-contact-leads.php endpoint can help mitigate exploitation attempts. Additionally, educating administrators about the risks of clicking untrusted links and employing multi-factor authentication (MFA) for WordPress admin accounts can reduce the likelihood of successful social engineering. Monitoring web server logs for unusual export requests and ensuring that exported CSV files are not publicly accessible or are protected by authentication controls will further limit data exposure. Once a patch is available, organizations must prioritize updating the plugin to a secure version with proper nonce validation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2023-7048: CWE-352 Cross-Site Request Forgery (CSRF) in galdub Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
Description
The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window of time before it is automatically deleted by the export function.
AI-Powered Analysis
Technical Analysis
CVE-2023-7048 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin 'My Sticky Bar' (formerly known as myStickymenu), developed by galdub. This plugin provides features such as a floating notification bar, sticky menu on scroll, announcement banner, and sticky header for any WordPress theme. The vulnerability exists in all versions up to and including 2.6.6 due to missing or incorrect nonce validation in the mystickymenu-contact-leads.php file. Nonce validation is a security mechanism used to ensure that requests are legitimate and initiated by authorized users. The absence or improper implementation of this validation allows an unauthenticated attacker to craft a malicious request that tricks an authenticated site administrator into performing an unintended action, specifically triggering the export of a CSV file containing contact leads. The exported CSV file is temporarily stored in a publicly accessible location before being automatically deleted shortly after. During this brief window, an attacker can download sensitive contact lead data, potentially exposing personal or business information. The vulnerability requires user interaction (the administrator must be tricked into clicking a link), and no prior authentication is needed for the attacker to initiate the forged request. The CVSS v3.1 base score is 3.1, indicating a low severity primarily due to the high attack complexity and requirement for user interaction, as well as the limited confidentiality impact. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability falls under CWE-352, which covers CSRF attacks where unauthorized commands are transmitted from a user that the web application trusts.
Potential Impact
For European organizations using WordPress websites with the My Sticky Bar plugin, this vulnerability could lead to unauthorized disclosure of contact lead information, which may include personal data protected under GDPR. Although the exposure window is short and the attack requires tricking an administrator, the leakage of contact leads can result in privacy violations, reputational damage, and potential regulatory penalties. The impact is primarily on confidentiality, with no direct effect on data integrity or availability. Organizations that rely on this plugin for marketing or customer engagement may face risks of data leakage to unauthorized parties, which could be exploited for phishing or social engineering attacks. The low CVSS score reflects the limited scope and complexity, but the sensitivity of contact lead data in European jurisdictions elevates the importance of addressing this vulnerability promptly.
Mitigation Recommendations
European organizations should immediately verify if their WordPress installations use the My Sticky Bar plugin and identify the version in use. Until an official patch is released, administrators should consider disabling the plugin or restricting administrative access to trusted networks to reduce exposure. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the mystickymenu-contact-leads.php endpoint can help mitigate exploitation attempts. Additionally, educating administrators about the risks of clicking untrusted links and employing multi-factor authentication (MFA) for WordPress admin accounts can reduce the likelihood of successful social engineering. Monitoring web server logs for unusual export requests and ensuring that exported CSV files are not publicly accessible or are protected by authentication controls will further limit data exposure. Once a patch is available, organizations must prioritize updating the plugin to a secure version with proper nonce validation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2023-12-21T15:18:38.389Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683f034b182aa0cae27e666a
Added to database: 6/3/2025, 2:14:35 PM
Last enriched: 7/4/2025, 3:27:24 PM
Last updated: 8/14/2025, 1:03:01 AM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.