Executive Summary

The SALESmanago & Leadoo WordPress plugin versions 3.11.2 and below contain a critical SQL injection vulnerability (CVE-2026-10835). This vulnerability occurs because the plugin does not properly sanitize and escape a parameter passed to one of its AJAX actions before using it in a SQL statement. Additionally, it fails to enforce proper authorization on that action.

As a result, authenticated users with minimal permissions, such as subscribers, can exploit this flaw by sending crafted requests containing SQL injection payloads. These payloads are passed as a base64-encoded JSON object in the "data" parameter, specifically targeting the "dateFrom" field.

An attacker can use techniques like time-based blind SQL injection (e.g., using the SLEEP(2) function) to confirm and exploit the vulnerability.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with minimal authenticated access to execute arbitrary SQL queries on the affected WordPress site's database.

Successful exploitation can lead to extraction of sensitive data such as user password hashes and secret keys from the database.

This can compromise the security and integrity of the website, potentially leading to unauthorized access, data breaches, and further attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted requests to the vulnerable AJAX action with a time-based blind SQL injection payload. For example, a payload including a SLEEP(2) function can be used to delay the response and confirm the presence of the vulnerability.

The payload is passed as a base64-encoded JSON object in the "data" parameter, specifically targeting the "dateFrom" field.

Detection commands would involve sending an authenticated request (with a WordPress logged-in cookie) to the AJAX endpoint with such a payload and measuring response delays.

• Use curl or similar tools to send a POST request with the crafted base64-encoded JSON payload containing a time-based SQL injection (e.g., SLEEP(2)) in the "dateFrom" field.
• Example curl command (replace URL and cookie accordingly):
• curl -X POST https://example.com/wp-admin/admin-ajax.php -H "Cookie: wordpress_logged_in_..." -d "action=leadoo_ajax_action&data=BASE64_ENCODED_PAYLOAD"
• Measure if the response time is delayed by the sleep duration, indicating vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the SALESmanago & Leadoo WordPress plugin to version 3.11.3 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict access to authenticated users with minimal permissions and monitor for suspicious AJAX requests targeting the vulnerable action.

Additionally, consider temporarily disabling the plugin or the vulnerable AJAX action if possible to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users with minimal permissions to perform SQL injection attacks, potentially extracting sensitive data such as user password hashes and secret keys from the database.

Such unauthorized access and data extraction could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could compromise compliance with these common standards and regulations by exposing sensitive user data.

Useful 0 Not Useful 0