Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable low-complexity SQLi needs a Subscriber account (PR:L); read-oriented injection gives high confidentiality but no clear integrity or availability impact, and I assess scope unchanged (S:U) versus the vendor's S:C.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.
AnalysisAI
SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session at Subscriber level or higher (PR:L) on a site with the SALESmanago & Leadoo plugin version 3.11.2 or earlier installed and active; no user interaction and no high privileges are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, score 8.5) describes a network-exploitable, low-complexity attack needing only low privileges and no user interaction, with high confidentiality impact and a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privilege Subscriber account on a WordPress site running the vulnerable plugin, then sends a crafted authenticated request to a plugin action carrying a malicious SQL payload in an unsanitized parameter. The injected query returns or leaks database contents such as administrator password hashes and user data, which can then be cracked offline or used to escalate. … |
| Remediation | Upgrade the SALESmanago & Leadoo plugin to a release newer than 3.11.2 as published by the vendor; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/salesmanago/vulnerability/wordpress-salesmanago-leadoo-plugin-3-11-2-sql-injection-vulnerability) for the exact fixed version, since no patched version number was provided in the available data and should not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using SALESmanago & Leadoo plugin; document current versions deployed and count of active Subscriber-level users; assess whether the plugin is business-critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Salesmanago Leadoo
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39364
GHSA-xwxh-84mx-hgrr