Description
Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.
Published: 2026-06-25
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability, identified as a Subscriber SQL injection in versions of the WordPress SALESmanago & Leadoo plugin up to 3.11.2, allows an unauthenticated user to send crafted input that is incorrectly incorporated into SQL statements. This leads to arbitrary SQL execution against the site's database, exposing confidential data, enabling data modification, and potentially compromising the integrity of the application. The weakness is a classic Injection flaw, categorized as CWE‑89.

Affected Systems

The issue affects installations of the SALESmanago & Leadoo WordPress plugin from any company that has the plugin in a version equal to or older than 3.11.2. No particular environment configuration is specified; any site running the affected plugin is at risk regardless of its other host settings.

Risk and Exploitability

With a CVSS score of 8.5, the vulnerability is considered high impact. The EPSS score is not available, so the current exploitation probability cannot be quantified, but given the common nature of SQL injection in web applications and the lack of known mitigations, the risk of exploitation remains significant. The plugin processes input from plugin URLs or form submissions, so an attacker can supply malicious payloads remotely. The vulnerability is not yet in the CISA KEV catalog, indicating no widespread documented exploitation as of now.

Generated by OpenCVE AI on June 25, 2026 at 16:06 UTC.

Remediation

Vendor Solution

Update the WordPress SALESmanago & Leadoo Plugin to the latest available version (at least 3.11.3).

OpenCVE Recommended Actions

  • Upgrade the WordPress SALESmanago & Leadoo plugin to version 3.11.3 or newer.
  • Restrict database permissions for the plugin to the minimum required level to limit potential damage from SQL injection.
  • Perform a database audit to detect and remove any unauthorized data inserted by the vulnerability.

Generated by OpenCVE AI on June 25, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.
Title WordPress SALESmanago & Leadoo plugin <= 3.11.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T15:07:16.240Z

Reserved: 2026-06-16T09:21:51.801Z

Link: CVE-2026-54822

cve-icon Vulnrichment

Updated: 2026-06-25T14:56:14.439Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')