CVE-2026-10835 | THREATINT

Description

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-26 | Updated 2026-06-26 | Assigner WPScan

Problem types

CWE-89 SQL Injection

Product status

Default status

unaffected

Any version before 3.11.3

affected

Credits

Alberto Ucendo Martínez finder

WPScan coordinator

References

wpscan.com/...rability/3c7b37ab-b069-4257-82b2-5b4c54f7e503/ exploit vdb-entry technical-description

cve.org (CVE-2026-10835)

nvd.nist.gov (CVE-2026-10835)

Download JSON