Description
Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago & Leadoo salesmanago allows Cross Site Request Forgery.This issue affects SALESmanago & Leadoo: from n/a through <= 3.8.1.
Published: 2025-09-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, identified as CWE-352, allows an attacker to perform a cross‑site request forgery against the WordPress SALESmanago Plugin. The flaw enables malicious requests to be executed with the privileges of an authenticated user, potentially modifying data or triggering undesired actions without the user’s consent. The reported CVSS score of 4.3 indicates a moderate impact on confidentiality and integrity but does not pose an immediate threat to availability.

Affected Systems

The issue affects the SALESmanago and Leadoo versions of the WordPress plugin up to and including 3.8.1. Any WordPress site that has this plugin installed and has not applied a newer version is susceptible to the attack.

Risk and Exploitability

Given the EPSS score of less than 1 percent and the absence of this vulnerability from CISA's KEV catalog, the likelihood of real‑world exploitation is low. However, the attack vector is straightforward: an attacker can craft a forged request, such as a malicious link or form submission, that a logged‑in user will unknowingly execute. The lack of CSRF tokens or verification allows the request to be processed by the plugin, granting the attacker the capabilities of the victim. The moderate CVSS rating reflects the potential for data manipulation but does not imply severe consequences.

Generated by OpenCVE AI on April 30, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest SALESmanago plugin version (>=3.8.2).
  • If an upgrade is not immediately possible, uninstall or disable the plugin to remove the vulnerability surface.
  • Add a WAF rule or use a security plugin to block suspicious POST requests to the plugin’s endpoints.

Generated by OpenCVE AI on April 30, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30643 Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago & Leadoo allows Cross Site Request Forgery.This issue affects SALESmanago & Leadoo: from n/a through 3.8.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago & Leadoo allows Cross Site Request Forgery.This issue affects SALESmanago & Leadoo: from n/a through 3.8.1. Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago & Leadoo salesmanago allows Cross Site Request Forgery.This issue affects SALESmanago & Leadoo: from n/a through <= 3.8.1.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Sat, 04 Oct 2025 03:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago allows Cross Site Request Forgery. This issue affects SALESmanago: from n/a through 3.8.1. Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago & Leadoo allows Cross Site Request Forgery.This issue affects SALESmanago & Leadoo: from n/a through 3.8.1.

Wed, 24 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Salesmanago
Salesmanago salesmanago
Wordpress
Wordpress wordpress
Vendors & Products Salesmanago
Salesmanago salesmanago
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago allows Cross Site Request Forgery. This issue affects SALESmanago: from n/a through 3.8.1.
Title WordPress SALESmanago Plugin <= 3.8.1 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Salesmanago Salesmanago
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.641Z

Reserved: 2025-08-22T11:37:02.929Z

Link: CVE-2025-57970

cve-icon Vulnrichment

Updated: 2025-09-24T15:27:45.140Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:56.467

Modified: 2026-04-23T15:33:09.240

Link: CVE-2025-57970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:15:06Z

Weaknesses