Skip to main content

CVE-2023-7048: CWE-352 Cross-Site Request Forgery (CSRF) in galdub Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Low
VulnerabilityCVE-2023-7048cvecve-2023-7048cwe-352
Published: Thu Jan 11 2024 (01/11/2024, 08:32:55 UTC)
Source: CVE Database V5
Vendor/Project: galdub
Product: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Description

The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window of time before it is automatically deleted by the export function.

AI-Powered Analysis

AILast updated: 07/04/2025, 15:27:24 UTC

Technical Analysis

CVE-2023-7048 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin 'My Sticky Bar' (formerly known as myStickymenu), developed by galdub. This plugin provides features such as a floating notification bar, sticky menu on scroll, announcement banner, and sticky header for any WordPress theme. The vulnerability exists in all versions up to and including 2.6.6 due to missing or incorrect nonce validation in the mystickymenu-contact-leads.php file. Nonce validation is a security mechanism used to ensure that requests are legitimate and initiated by authorized users. The absence or improper implementation of this validation allows an unauthenticated attacker to craft a malicious request that tricks an authenticated site administrator into performing an unintended action, specifically triggering the export of a CSV file containing contact leads. The exported CSV file is temporarily stored in a publicly accessible location before being automatically deleted shortly after. During this brief window, an attacker can download sensitive contact lead data, potentially exposing personal or business information. The vulnerability requires user interaction (the administrator must be tricked into clicking a link), and no prior authentication is needed for the attacker to initiate the forged request. The CVSS v3.1 base score is 3.1, indicating a low severity primarily due to the high attack complexity and requirement for user interaction, as well as the limited confidentiality impact. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability falls under CWE-352, which covers CSRF attacks where unauthorized commands are transmitted from a user that the web application trusts.

Potential Impact

For European organizations using WordPress websites with the My Sticky Bar plugin, this vulnerability could lead to unauthorized disclosure of contact lead information, which may include personal data protected under GDPR. Although the exposure window is short and the attack requires tricking an administrator, the leakage of contact leads can result in privacy violations, reputational damage, and potential regulatory penalties. The impact is primarily on confidentiality, with no direct effect on data integrity or availability. Organizations that rely on this plugin for marketing or customer engagement may face risks of data leakage to unauthorized parties, which could be exploited for phishing or social engineering attacks. The low CVSS score reflects the limited scope and complexity, but the sensitivity of contact lead data in European jurisdictions elevates the importance of addressing this vulnerability promptly.

Mitigation Recommendations

European organizations should immediately verify if their WordPress installations use the My Sticky Bar plugin and identify the version in use. Until an official patch is released, administrators should consider disabling the plugin or restricting administrative access to trusted networks to reduce exposure. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the mystickymenu-contact-leads.php endpoint can help mitigate exploitation attempts. Additionally, educating administrators about the risks of clicking untrusted links and employing multi-factor authentication (MFA) for WordPress admin accounts can reduce the likelihood of successful social engineering. Monitoring web server logs for unusual export requests and ensuring that exported CSV files are not publicly accessible or are protected by authentication controls will further limit data exposure. Once a patch is available, organizations must prioritize updating the plugin to a secure version with proper nonce validation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2023-12-21T15:18:38.389Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f034b182aa0cae27e666a

Added to database: 6/3/2025, 2:14:35 PM

Last enriched: 7/4/2025, 3:27:24 PM

Last updated: 7/28/2025, 6:20:27 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats