Skip to main content

Salesmanago Leadoo

2 CVEs product

Monthly

CVE-2026-10835 HIGH POC PATCH This Week

SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.

WordPress SQLi Salesmanago Leadoo
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-54822 HIGH This Week

SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Salesmanago Leadoo
NVD
CVSS 3.1
8.5
EPSS
0.3%
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.

WordPress SQLi Salesmanago Leadoo
NVD WPScan VulDB
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Salesmanago Leadoo
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy