CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in SALESmanago SALESmanago & Leadoo salesmanago allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SALESmanago & Leadoo: from n/a through <= 3.9.0.
AnalysisAI
Broken access control in SALESmanago WordPress plugin allows authenticated attackers with low-level privileges to bypass authorization checks and gain unauthorized access to high-privilege functions. Affects versions up to 3.9.0. The vulnerability enables complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.06% (18th percentile) suggests low observed exploitation probability, and no public exploit identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a common weakness in WordPress plugins where privilege checks are absent or improperly implemented on sensitive endpoints or functions. The SALESmanago plugin, which integrates SALESmanago marketing automation and Leadoo visitor engagement platforms with WordPress, fails to validate whether authenticated users possess appropriate permissions before granting access to restricted functionality. This represents a broken access control condition where the application trusts the authenticated session without verifying role-based authorization. Such flaws typically occur when developers implement authentication (verifying identity) but omit authorization (verifying permission level), allowing any logged-in user to access administrative or privileged operations. WordPress plugins commonly expose this weakness in AJAX handlers, REST API endpoints, or admin-facing functions that lack proper capability checks using WordPress's current_user_can() or equivalent authorization mechanisms.
Affected ProductsAI
The vulnerability affects the SALESmanago & Leadoo plugin for WordPress, specifically all versions up to and including 3.9.0. This plugin integrates SALESmanago marketing automation and Leadoo visitor engagement platforms into WordPress sites, enabling lead generation, customer tracking, and marketing campaign management. The official plugin identifier is 'salesmanago' in the WordPress plugin repository. Organizations running any version at or below 3.9.0 should consider themselves affected. The vulnerability was reported through Patchstack's security research program ([email protected]), which specializes in WordPress plugin security auditing. No specific CPE identifiers were provided in the available data, but affected installations can be identified by checking the plugin version in WordPress admin dashboards under Plugins > Installed Plugins.
RemediationAI
Upgrade the SALESmanago & Leadoo plugin to version 3.9.1 or higher, which addresses the missing authorization checks. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate 'SALESmanago & Leadoo salesmanago', and click Update if available. Alternatively, download the latest version directly from the WordPress plugin repository and install manually. Full technical details and vendor acknowledgment are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/salesmanago/vulnerability/wordpress-salesmanago-plugin-3-9-0-broken-access-control-vulnerability. As interim mitigation if immediate patching is not possible, restrict WordPress user registration to prevent untrusted accounts, audit existing low-privilege user accounts for suspicious activity, and monitor plugin-related administrative actions through WordPress activity logs. Review SALESmanago API credential usage and rotate keys if unauthorized access is suspected. Organizations should also implement Web Application Firewall (WAF) rules to monitor for unusual authenticated requests to plugin endpoints, though this provides only limited protection against authenticated exploitation.
Share
External POC / Exploit Code
Leaving vuln.today