CVE-2026-10835
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The SALESmanago & Leadoo WordPress plugin before version 3.11.3 does not properly sanitize and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorization on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.
Risk Assessment
The risk involves potential unauthorized access to the WordPress database, which could lead to data leakage, content modification, or full site compromise by an attacker.
Recommendation
It is recommended to immediately update the SALESmanago & Leadoo plugin to version 3.11.3 or later, which fixes this vulnerability.
Original NVD description (English source)
The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.

