CVE-2025-14428 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements' developed by galdub. The issue stems from the absence of a proper capability check in the 'my_sticky_elements_bulks' function, which is responsible for bulk operations on contact form leads. This missing authorization allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete all stored contact form leads indiscriminately. The vulnerability affects all plugin versions up to and including 2.3.3. The CVSS v3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). This means the attacker must be authenticated but can exploit the vulnerability remotely without additional user interaction. The impact is limited to integrity loss through unauthorized deletion of data, specifically contact form leads, which could disrupt business communications and lead to data loss. No patches or fixes have been officially published at the time of this report, and no known exploits have been observed in the wild. The vulnerability is relevant to any WordPress site using this plugin, which is popular for adding sticky contact forms and social icon tabs to websites.

The primary impact of CVE-2025-14428 is unauthorized deletion of contact form leads, which compromises data integrity. Organizations relying on this plugin for customer inquiries, lead generation, or support requests may experience loss of critical business data, leading to operational disruptions and potential revenue loss. Although the vulnerability does not affect confidentiality or availability, the deletion of leads can degrade customer experience and trust. Attackers with low-level authenticated access (Subscriber or higher) can exploit this vulnerability, which broadens the threat landscape since even minimally privileged users or compromised accounts can cause damage. This could be leveraged in insider threat scenarios or through compromised user credentials. The lack of user interaction requirement facilitates automated exploitation once credentials are obtained. The absence of patches increases exposure time, and organizations may face challenges in detecting such deletions without proper monitoring. Overall, the vulnerability poses a moderate risk to organizations that use this plugin, especially those with high volumes of customer interactions through contact forms.

To mitigate CVE-2025-14428, organizations should immediately review and restrict user roles and permissions within WordPress to minimize the number of users with Subscriber-level or higher access, especially on sites using the affected plugin. Implement strict access controls and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Monitor logs and audit trails for unusual bulk deletion activities related to contact form leads. Until an official patch is released, consider disabling or removing the plugin if it is not critical to business operations. If the plugin is essential, isolate its usage to environments with tightly controlled user access. Additionally, maintain regular backups of contact form data to enable recovery in case of unauthorized deletions. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function if feasible.