Salesmanago Leadoo
Monthly
SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.
SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.
SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.