The vulnerability identified as CVE-2025-14428 affects the WordPress plugin 'All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements' developed by galdub. The core issue is a missing authorization check (CWE-862) in the 'my_sticky_elements_bulks' function, which is responsible for bulk operations on contact form leads. This missing capability check allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete all stored contact form leads, resulting in unauthorized data loss. The vulnerability affects all versions up to and including 2.3.3. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and low privileges, but does not impact confidentiality or availability, only integrity. No user interaction is required beyond authentication. There are no known exploits in the wild, and no patches have been released at the time of publication. This vulnerability primarily threatens the integrity of lead data collected via the plugin, which can disrupt marketing and customer relationship management processes. Since WordPress is widely used across Europe, especially for business and e-commerce websites, this vulnerability could have significant operational impacts if exploited.

For European organizations, the primary impact of CVE-2025-14428 is the unauthorized deletion of contact form lead data, which can severely disrupt marketing campaigns, sales pipelines, and customer engagement efforts. Loss of lead data can result in lost revenue opportunities and damage to customer relationships. Although the vulnerability does not expose sensitive data directly or cause service outages, the integrity loss can lead to operational downtime while data is restored or recreated. Organizations relying heavily on the affected plugin for lead generation and customer interaction are at higher risk. Additionally, if attackers combine this vulnerability with other weaknesses, it could facilitate broader attacks on organizational data or reputation. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak user access controls or compromised low-privilege accounts.

1. Immediately audit user roles and permissions on WordPress sites using the affected plugin to ensure that only trusted users have Subscriber-level or higher access. 2. Restrict plugin management capabilities to Administrator roles only by customizing capability mappings or using role management plugins. 3. Monitor logs for unusual bulk deletion activities related to the plugin's functions. 4. Implement multi-factor authentication (MFA) for all WordPress user accounts to reduce the risk of account compromise. 5. Regularly back up contact form lead data and test restoration procedures to minimize data loss impact. 6. Follow the plugin vendor and WordPress security advisories closely and apply patches or updates as soon as they become available. 7. Consider temporarily disabling or replacing the plugin with a more secure alternative if immediate patching is not possible. 8. Educate site administrators and users about the risks of privilege escalation and the importance of strong password policies.