The SALESmanago & Leadoo plugin is vulnerable to an authenticated SQL injection flaw that could allow malicious actors to compromise the underlying application database.

The vulnerability is a subscriber-level SQL injection, meaning an authenticated user with subscriber privileges can manipulate database queries. This occurs due to insufficient sanitization of user-supplied input before it is processed by the database.

Successful exploitation can lead to unauthorized data extraction, modification, or deletion of sensitive customer and platform information. With a CVSS score of 8.5, this high-severity flaw threatens the overall integrity of the application and could result in severe data breaches.

Immediate Action: Update the SALESmanago & Leadoo plugin to the latest version provided by the vendor.

Proactive Monitoring: Enable database query logging and monitor for unusual query patterns or syntax errors that suggest injection attempts.

Compensating Controls: Utilize a Web Application Firewall (WAF) with SQL injection protection rules to block malicious payloads targeting the vulnerable parameters.

Public Exploit Available: false

Security teams should immediately audit user access levels and apply the necessary patches. Given the potential for full database compromise, this update should be treated as a high-priority task to ensure the integrity of the marketing automation platform.