CVE-2023-7048 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin 'My Sticky Bar' (formerly known as myStickymenu), developed by galdub. This plugin provides features such as a floating notification bar, sticky menu on scroll, announcement banner, and sticky header for any WordPress theme. The vulnerability exists in all versions up to and including 2.6.6 due to missing or incorrect nonce validation in the mystickymenu-contact-leads.php file. Nonce validation is a security mechanism used to ensure that requests are legitimate and initiated by authorized users. The absence or improper implementation of this validation allows an unauthenticated attacker to craft a malicious request that tricks an authenticated site administrator into performing an unintended action, specifically triggering the export of a CSV file containing contact leads. The exported CSV file is temporarily stored in a publicly accessible location before being automatically deleted shortly after. During this brief window, an attacker can download sensitive contact lead data, potentially exposing personal or business information. The vulnerability requires user interaction (the administrator must be tricked into clicking a link), and no prior authentication is needed for the attacker to initiate the forged request. The CVSS v3.1 base score is 3.1, indicating a low severity primarily due to the high attack complexity and requirement for user interaction, as well as the limited confidentiality impact. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability falls under CWE-352, which covers CSRF attacks where unauthorized commands are transmitted from a user that the web application trusts.

For European organizations using WordPress websites with the My Sticky Bar plugin, this vulnerability could lead to unauthorized disclosure of contact lead information, which may include personal data protected under GDPR. Although the exposure window is short and the attack requires tricking an administrator, the leakage of contact leads can result in privacy violations, reputational damage, and potential regulatory penalties. The impact is primarily on confidentiality, with no direct effect on data integrity or availability. Organizations that rely on this plugin for marketing or customer engagement may face risks of data leakage to unauthorized parties, which could be exploited for phishing or social engineering attacks. The low CVSS score reflects the limited scope and complexity, but the sensitivity of contact lead data in European jurisdictions elevates the importance of addressing this vulnerability promptly.

European organizations should immediately verify if their WordPress installations use the My Sticky Bar plugin and identify the version in use. Until an official patch is released, administrators should consider disabling the plugin or restricting administrative access to trusted networks to reduce exposure. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the mystickymenu-contact-leads.php endpoint can help mitigate exploitation attempts. Additionally, educating administrators about the risks of clicking untrusted links and employing multi-factor authentication (MFA) for WordPress admin accounts can reduce the likelihood of successful social engineering. Monitoring web server logs for unusual export requests and ensuring that exported CSV files are not publicly accessible or are protected by authentication controls will further limit data exposure. Once a patch is available, organizations must prioritize updating the plugin to a secure version with proper nonce validation.