CVE-2026-10835

Description

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.

References

• https://wpscan.com/vulnerability/3c7b37ab-b069-4257-82b2-5b4c54f7e503/