cleantalk
Vulnerabilities and Security Researches

Sticky, CVE-2026-6397

CVE, Research URL

CVE-2026-6397

Home page URL

Security reports for Sticky

Application

Sticky

Published on
May 20, 2026
Research Description
The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the `cvmh_sticky_front_render()` function — the `readmoretext` attribute value is passed through `apply_filters()` and directly concatenated into the HTML output without any escaping function such as `esc_html()`. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the injected shortcode.
Affected versions
max 2.5.6.
Status
vulnerable
Previous vulnerability researches
Data Visualizer (CVE-2025-13961) , Jan 10, 2026
Visualizer: Tables and Charts Manager for WordPress (CVE-2025-12483) , Dec 04, 2025
Visualizer: Tables and Charts Manager for WordPress (CVE-2025-1065) , Feb 21, 2025
Visualizer: Tables and Charts Manager for WordPress (CVE-2024-35736) , Jun 10, 2024
Visualizer: Tables and Charts Manager for WordPress (CVE-2022-2256) , Jun 07, 2024
New vulnerability
WordPress Online Booking and Scheduling Plugin – Bookly (CVE-2026-42667) , May 22, 2026
Email Encoder – Protect Email Addresses and Phone Numbers (CVE-2026-5776) , May 22, 2026
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory (CVE-2026-42671) , May 22, 2026
Widget Context (CVE-2026-7615) , May 22, 2026
Classified Listing – Classified ads & Business Directory Plugin (CVE-2026-42679) , May 22, 2026