cleantalk
Vulnerabilities and Security Researches

Sticky Buttons – floating buttons builder, 870db21795be87364d12ad8e25fd5a926cbf8a35

CVE, Research URL

870db21795be87364d12ad8e25fd5a926cbf8a35

Home page URL

Security reports for Sticky Buttons – floating buttons builder

Application

Sticky Buttons – floating buttons builder

Published on
Jan 22, 2024
Research Description
Sticky Buttons &#8211; Floating Buttons Builder [sticky-buttons] < 3.2.3 Sticky Buttons <= 3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting The Sticky Buttons – floating buttons builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via sticky URLs in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 3.2.3.
Status
vulnerable
Previous vulnerability researches
Sticky Buttons &#8211; floating buttons builder (870db21795be87364d12ad8e25fd5a926cbf8a35) , Jun 16, 2026
Sticky Buttons &#8211; floating buttons builder (CVE-2023-2362) , Jun 07, 2024
Sticky Buttons &#8211; floating buttons builder (CVE-2024-3475) , Jun 07, 2024
Sticky Buttons &#8211; floating buttons builder (CVE-2024-0703) , Jun 07, 2024
Sticky Buttons &#8211; floating buttons builder (CVE-2025-24720) , Jan 26, 2025
New vulnerability
WooCommerce (CVE-2022-50972) , Jun 22, 2026
Simple File List (CVE-2026-11911) , Jun 21, 2026
Simple File List (CVE-2026-12119) , Jun 21, 2026
Simple File List (CVE-2026-11912) , Jun 21, 2026
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026