CVE Catalog

CVE-2026-10835

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

The SALESmanago & Leadoo WordPress plugin before version 3.11.3 does not properly sanitize and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorization on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.

Risk Assessment

The risk involves potential unauthorized access to the WordPress database, which could lead to data leakage, content modification, or full site compromise by an attacker.

Recommendation

It is recommended to immediately update the SALESmanago & Leadoo plugin to version 3.11.3 or later, which fixes this vulnerability.

Original NVD description (English source)

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS