CVE-2025-8152 MEDIUM

CVE-2025-8152: WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons <= 1.7.0 - Missing Authorization to Unauthenticated Sticky Status Update

Vendor Blendmedia
Product WP CTA – Call Now Button, Sticky Button & Call to Action Builder
Weakness CWE-862 · Missing authorization
Published August 2, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_cta_status' and 'change_sticky_sidebar_name' functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard.

Explanation of Vulnerability in Simple Terms

02Summary

WP CTA – Call Now Button allows unauthenticated attackers to modify plugin settings and content without authorization. The vulnerability exists in versions 1.7.0 and earlier due to missing access controls on administrative functions. An attacker can change call-to-action buttons, text, and configuration from the network without needing a WordPress account. Site owners should update immediately to a version newer than 1.7.0.

What an attacker can do

03Attacker Capabilities

Modify plugin settings and call-to-action button content without a WordPress account.

Potential impact on your site

04Site Impact

Attackers can deface call-to-action buttons, redirect calls, or inject malicious content visible to site visitors.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

August 2, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE