VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 6 known issues Latest disclosed Mar 11, 2026

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Vulnerabilities

Review known vulnerability records for the WordPress plugin My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) (`mystickymenu`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-3657, CVE-2024-7133 and CVE-2024-4090, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
6
High or Critical
1
Patch Coverage
100%
Last Updated
Mar 12, 2026
Priority CVE Quick Links

Fast paths into My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
6
CVE-2026-3657 High 2.8.7
CVE-2026-3657 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) SQL Injection

My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action

CVE-2023-5509 Medium 2.6.5
CVE-2023-5509 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Vulnerability

myStickymenu <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Lead Deletion

CVE-2021-24425 Medium 2.5.2
CVE-2021-24425 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Stored Cross-Site Scripting

myStickymenu <= 2.5.1 - Authenticated Stored Cross-Site Scripting

CVE-2024-7133 Medium 2.7.3
CVE-2024-7133 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Stored Cross-Site Scripting

My Sticky Bar <= 2.7.2 - Authenticated (Admin+) Stored Cross-Site Scripting

CVE-2024-4090 Medium 2.7.2
CVE-2024-4090 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Stored Cross-Site Scripting

My Sticky Bar (formerly myStickymenu) <= 2.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

CVE-2023-7048 Low 2.6.7
CVE-2023-7048 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Sensitive Information Exposure

My Sticky Bar <= 2.6.6 - Cross-Site Request Forgery to Sensitive Information Exposure

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
6 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2026-3657, CVE-2024-7133 and CVE-2024-4090
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu)

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-3657
CVE-2026-3657: My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action

The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$...

Published
Mar 11, 2026
Patched Release
2.8.7
Affected Versions
Versions up to 2.8.6
Next Step
Update to 2.8.7 or newer if supported.
Open CVE-2026-3657 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-7133
CVE-2024-7133: My Sticky Bar <= 2.7.2 - Authenticated (Admin+) Stored Cross-Site Scripting

The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.2 due...

Published
Aug 23, 2024
Patched Release
2.7.3
Affected Versions
Versions up to 2.7.2
Next Step
Update to 2.7.3 or newer if supported.
Open CVE-2024-7133 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4090
CVE-2024-4090: My Sticky Bar (formerly myStickymenu) <= 2.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.1 due...

Published
Jul 11, 2024
Patched Release
2.7.2
Affected Versions
Versions up to 2.7.1
Next Step
Update to 2.7.2 or newer if supported.
Open CVE-2024-4090 Report Open CVE Reference
Plugin Low Patched: Yes CVE-2023-7048
CVE-2023-7048: My Sticky Bar <= 2.6.6 - Cross-Site Request Forgery to Sensitive Information Exposure

The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger...

Published
Jan 03, 2024
Patched Release
2.6.7
Affected Versions
Versions up to 2.6.6
Next Step
Update to 2.6.7 or newer if supported.
Open CVE-2023-7048 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-5509
CVE-2023-5509: myStickymenu <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Lead Deletion

The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the my_sticky_menu_bulks...

Published
Oct 27, 2023
Patched Release
2.6.5
Affected Versions
Versions up to 2.6.4
Next Step
Update to 2.6.5 or newer if supported.
Open CVE-2023-5509 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-24425
CVE-2021-24425: myStickymenu <= 2.5.1 - Authenticated Stored Cross-Site Scripting

The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site S...

Published
Jun 21, 2021
Patched Release
2.5.2
Affected Versions
Versions before 2.5.2
Next Step
Update to 2.5.2 or newer if supported.
Open CVE-2021-24425 Report Open CVE Reference