CVE-2026-10835 in SALESmanago & Leadoo Plugin
Summary
by MITRE • 06/26/2026
The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability exists within the SALESmanago & Leadoo WordPress plugin version 3.11.2 and earlier, where inadequate input validation and sanitization mechanisms create a critical security flaw in the plugin's ajax handling functionality. This issue stems from the improper sanitization of user-supplied parameters before they are incorporated into SQL queries, combined with insufficient authorization checks on the affected AJAX endpoint. The vulnerability specifically targets an AJAX action that processes external input without proper security controls, allowing malicious actors to inject arbitrary SQL commands through carefully crafted parameters.
The technical exploitation of this vulnerability requires minimal privileges within the WordPress environment, as authenticated users with subscriber-level permissions can leverage this flaw. This represents a significant privilege escalation concern since the attack vector does not require administrator credentials or elevated access rights. The lack of proper authorization enforcement on the vulnerable AJAX endpoint means that any authenticated user can potentially access and manipulate the SQL injection point regardless of their role within the WordPress site. The vulnerability aligns with CWE-89 which classifies improper neutralization of special elements used in an SQL command as a critical weakness, while also relating to CWE-285 which addresses insufficient authorization checks.
The operational impact of this vulnerability extends beyond simple data theft or manipulation, as it provides attackers with the capability to perform comprehensive database reconnaissance and potentially gain full control over the affected WordPress installation. Attackers can execute arbitrary SQL queries against the database, potentially extracting sensitive information including user credentials, personal data, and configuration details. The vulnerability could also enable attackers to modify or delete database records, leading to data corruption or complete system compromise. Given that WordPress plugins often store sensitive business data and user information, the potential damage from such an attack can be substantial.
Mitigation strategies should focus on immediate plugin updates to version 3.11.3 or later, which contain proper sanitization and authorization fixes. Administrators should also implement additional security measures including regular security audits of installed plugins, monitoring for unauthorized access attempts, and implementing web application firewalls to detect SQL injection patterns. The vulnerability demonstrates the importance of following secure coding practices such as parameterized queries and proper input validation as recommended in the OWASP Top Ten and NIST Cybersecurity Framework guidelines. Organizations should also consider implementing principle of least privilege configurations to limit the damage potential from similar vulnerabilities in other systems.
The attack surface for this vulnerability is particularly concerning given that many WordPress installations operate with minimal security hardening and may have users with elevated privileges due to business requirements. The fact that this issue affects a marketing automation plugin highlights the risk associated with third-party WordPress extensions, emphasizing the need for comprehensive security assessments of all installed plugins and themes before deployment in production environments. This vulnerability also underscores the necessity of maintaining up-to-date software versions and implementing robust patch management procedures across all system components to prevent exploitation of known security flaws.