Description
The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.
Published: 2026-06-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin fails to sanitise and escape a parameter used in an SQL statement and does not enforce authorisation on the corresponding AJAX action. Consequently, authenticated users with minimal permissions, such as subscribers, can inject arbitrary SQL code. If successful, an attacker could read, modify, or delete database records, potentially compromising site confidentiality, integrity, and availability.

Affected Systems

WordPress installations that have the SALESmanago & Leadoo plugin version earlier than 3.11.3. The vulnerability applies to any instance of the plugin where the AJAX action is accessible to users with subscriber or equivalent roles.

Risk and Exploitability

The gap in input sanitisation coupled with missing authorisation creates a high‑risk vector. Although the EPSS score is not available and the issue is not listed in CISA’s KEV catalog, the inherent nature of unauthorised SQL injection carries a severe potential impact. An attacker who already has a low‑privilege account can exploit the exposed endpoint via familiar AJAX request patterns, making the likelihood of exploitation substantial in environments that allow many user registrations.

Generated by OpenCVE AI on June 26, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SALESmanago & Leadoo plugin to version 3.11.3 or later to apply the vendor‑provided fix.
  • Restrict or remove the subscription role’s access to the AJAX endpoint by tightening WordPress user role permissions or using a capability‑based access control plugin.
  • Audit recent database entries for anomalies and apply preventive measures such as prepared statements or ORM usage, and consider deploying a Web Application Firewall to block malformed SQL traffic.

Generated by OpenCVE AI on June 26, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-89

Fri, 26 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.
Title SALESmanago & Leadoo < 3.11.3 - Subscriber+ SQL Injection
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-26T06:00:02.508Z

Reserved: 2026-06-04T10:55:21.114Z

Link: CVE-2026-10835

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')