Posts

CVE-2023-7048: CSRF to Contact Lead Export in My Sticky Bar

A My Sticky Bar CSRF issue that could trigger contact lead CSV export from an administrator's browser.

CVE-2023-7048 is a cross-site request forgery issue in the My Sticky Bar WordPress plugin.

The public advisory says versions up to and including 2.6.6 were vulnerable because of missing or incorrect nonce validation in mystickymenu-contact-leads.php. A forged request could trigger contact lead CSV export if an attacker convinced a site administrator to perform an action such as clicking a link.

Summary card for CVE-2023-7048 showing affected product, impact, and CVSS score
CVE-2023-7048 affected My Sticky Bar versions up to and including 2.6.6. As of June 2026, WordPress.org lists the plugin at 100,000+ active installations.

The bug

CSRF bugs are easy to underestimate because they do not usually look dramatic in isolation. The issue is not that the attacker has direct access to the admin action. The issue is that the browser of an authenticated administrator can be pushed into making the request.

In this case, the action could export contact leads to a CSV file. Wordfence notes that the CSV was written to a public location for a short window before the export function automatically deleted it.

Why it mattered

This was a low-severity vulnerability, but the data involved still mattered. Contact leads can contain names, email addresses, phone numbers, and message content depending on how the site owner configured the plugin.

The interesting part of the finding was the timing and storage behavior. The export did not need to stay public forever to be sensitive. A short-lived public artifact is still an exposure if an attacker can cause it to exist and fetch it quickly enough.

Fix

My Sticky Bar patched the issue in version 2.6.7. Site owners should update to 2.6.7 or newer.

References