Skip to main content

SALESmanago & Leadoo CVE-2026-10835

| EUVDEUVD-2026-39625 HIGH
2026-06-26 WPScan GHSA-mprc-69fc-33c7
7.7
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable AJAX action exploitable by any authenticated subscriber gives AV:N/AC:L/PR:L/UI:N; SQLi reads data outside the plugin's context (S:C, C:H) but the description indicates disclosure only, so I:N/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 18:31 vuln.today
CVSS changed
Jun 26, 2026 - 16:22 NVD
7.7 (HIGH)
Patch available
Jun 26, 2026 - 08:01 EUVD
CVE Published
Jun 26, 2026 - 06:00 cve.org
HIGH 7.7
CVE Published
Jun 26, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.

AnalysisAI

SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain subscriber-level account
Delivery
Send crafted AJAX request to admin-ajax.php
Exploit
Inject SQL via unsanitised parameter
Execution
Bypass missing authorisation check
Impact
Exfiltrate sensitive database records

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with only minimal privileges (subscriber-level), and the target must run the SALESmanago & Leadoo plugin at a version before 3.11.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a moderate, not critical, real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or reuses) a low-privilege subscriber account on a WordPress site running the vulnerable plugin, then sends a crafted authenticated AJAX request with a malicious value in the unsanitised parameter. Because the action enforces no authorisation, the injected SQL executes against the WordPress database, letting the attacker extract sensitive data such as user records and password hashes. …
Remediation Vendor-released patch: upgrade the SALESmanago & Leadoo plugin to version 3.11.3 or later, per the WPScan advisory (https://wpscan.com/vulnerability/3c7b37ab-b069-4257-82b2-5b4c54f7e503/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances using SALESmanago & Leadoo plugin and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy