Does SALESmanago & Leadoo have any unpatched vulnerabilities?

No. All known vulnerabilities in SALESmanago & Leadoo have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is SALESmanago & Leadoo compatible with WordPress 6.9.4?

According to WordPress.org data, SALESmanago & Leadoo 3.10.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is SALESmanago & Leadoo compatible with PHP 7.4+?

SALESmanago & Leadoo requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SALESmanago & Leadoo updated?

SALESmanago & Leadoo was last updated on Mar 2, 2026. Frequent updates are generally a positive security signal.

What is SALESmanago & Leadoo's security score?

SALESmanago & Leadoo has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SALESmanago & Leadoo Security & Risk Analysis

wordpress.org/plugins/salesmanago

AI-powered Customer Engagement Platform for impact-hungry eCommerce marketing teams

1K active installs v3.10.0 PHP 7.4+ WP 5.6+ Updated Mar 2, 2026

crmemail-marketinglive-chatmarketing-automationsocial-media

A · Safe

CVEs total4

Unpatched0

Last CVEDec 24, 2025

Plugin page Download

Safety Verdict

Is SALESmanago & Leadoo Safe to Use in 2026?

Generally Safe

Score 95/100

SALESmanago & Leadoo has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Dec 24, 2025Updated 1mo ago

Risk Assessment

The Salesmanago plugin v3.10.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices in several areas, including the exclusive use of prepared statements for all SQL queries, indicating a strong defense against SQL injection. The presence of nonce and capability checks on its entry points further suggests an effort to protect against unauthorized access and actions.

However, the static analysis reveals significant concerns. A notable issue is the low percentage of properly escaped output (20%), which presents a substantial risk of Cross-Site Scripting (XSS) vulnerabilities. While the taint analysis shows no critical or high-severity unsanitized paths, the fact that all 4 analyzed flows have unsanitized paths, even if flagged as not critical, warrants attention. The presence of file operations without explicit mention of sanitization also introduces potential risks.

The vulnerability history of this plugin is a major red flag. With 4 known CVEs, all classified as medium severity, and a history of 'Missing Authorization', 'Cross-Site Request Forgery (CSRF)', and 'Authentication Bypass by Primary Weakness', it indicates a pattern of recurring security weaknesses. While there are currently no unpatched CVEs, the historical prevalence of these specific vulnerability types suggests a fundamental architectural or implementation flaw that could resurface. The plugin's last vulnerability being in the future (2025-12-24) is an anomaly and may be a data entry error, but the historical pattern of medium vulnerabilities remains a strong indicator of ongoing risk.

Key Concerns

Low output escaping percentage (20%)
All 4 taint flows have unsanitized paths
4 known medium severity CVEs historically
History of Missing Authorization vulnerabilities
History of CSRF vulnerabilities
History of Authentication Bypass vulnerabilities

Vulnerabilities

SALESmanago & Leadoo Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2025-68571medium · 5.3Missing Authorization

SALESmanago <= 3.9.0 - Missing Authorization

Dec 24, 2025 Patched in 3.9.1 (14d)

CVE-2025-57971medium · 6.5Missing Authorization

SALESmanago <= 3.8.1 - Missing Authorization

Sep 22, 2025 Patched in 3.8.2 (11d)

CVE-2025-57970medium · 4.3Cross-Site Request Forgery (CSRF)

SALESmanago <= 3.8.1 - Cross-Site Request Forgery

Sep 22, 2025 Patched in 3.8.2 (11d)

CVE-2023-4939medium · 5.3Authentication Bypass by Primary Weakness

SALESmanago <= 3.2.4 - Log Injection via Weak Authentication Token

Oct 20, 2023 Patched in 3.2.5 (95d)

Code Analysis

Analyzed Mar 16, 2026

SALESmanago & Leadoo Code Analysis

Dangerous Functions

Raw SQL Queries

31 prepared

Unescaped Output

167

43 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared31 total queries

Output Escaping

20% escaped210 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths

generateSwJs (src\Admin\Model\AdminModel.php:881)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

SALESmanago & Leadoo Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 7

actionplugins_loadedsalesmanago.php:67

filtercron_schedulessrc\Admin\Controller\CronController.php:25

actionwpsrc\Admin\Controller\CronController.php:26

actionsalesmanago_cron_eventsrc\Admin\Controller\CronController.php:27

actioninitsrc\Admin\Controller\CronController.php:28

filtersubmenu_filesrc\Admin\Controller\SettingsController.php:230

actionrest_api_initsrc\Admin\SmRestApi.php:20

Scheduled Events 1

salesmanago_cron_event

Maintenance & Trust

SALESmanago & Leadoo Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 2, 2026

PHP min version7.4

Downloads38K

Community Trust

Rating60/100

Number of ratings2

Active installs1K

Alternatives

SALESmanago & Leadoo Alternatives

Groundhogg — CRM, Newsletters, and Marketing Automation

groundhogg

Groundhogg is the best WordPress CRM & Marketing Automation plugin. Create flows, email campaigns, and have a CRM all within your WordPress site.

2K 23 CVEs

Meta Counter For Groundhogg | An Counter Action Extension

meta-counter-groundhogg

A Free Extension for Groundhogg: Adds an action that lets you count any funnel step and stores it in a chosen meta field.

10 No CVEs

EngageBay Marketing Automation for LearnDash

engagebay-add-on-for-learndash

100

Effortlessly connect LearnDash with EngageBay CRM to supercharge student engagement. Automate email campaigns, segment users by course activity, and t …

0 No CVEs

MandrakeCRM – CRM & AI Marketing Automation

mandrakecrm

100

CRM, automations, campaigns & analytics for WooCommerce. Charges per order, not per contact. Unlimited contacts. Free 7-day trial.

0 No CVEs

HubSpot All-In-One Marketing – Forms, Popups, Live Chat

leadin

The CRM, Sales, and Marketing WordPress plugin to grow your business better. Capture and engage web visitors with free live chat, forms, CRM, email ma …

200K 2 CVEs

Developer Profile

SALESmanago & Leadoo Developer Profile

SALESmanago

1 plugin · 1K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

33 days

View full developer profile

Detection Fingerprints

How We Detect SALESmanago & Leadoo

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/salesmanago/assets/css/admin-style.css/wp-content/plugins/salesmanago/assets/js/admin-script.js/wp-content/plugins/salesmanago/assets/js/vue.min.js/wp-content/plugins/salesmanago/assets/js/clarity.js

Script Paths

/wp-content/plugins/salesmanago/assets/js/admin-script.js/wp-content/plugins/salesmanago/assets/js/vue.min.js/wp-content/plugins/salesmanago/assets/js/clarity.js

Version Parameters

salesmanago/assets/css/admin-style.css?ver=salesmanago/assets/js/admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes

sm-admin-pagesm-form-container

HTML Comments

Data Attributes

data-sm-iddata-sm-product-id

JS Globals

window.SM_AJAX_URLwindow.SM_SETTINGSwindow.SM_PLATFORM_SETTINGS

REST Endpoints

/wp-json/salesmanago/v1/options/wp-json/salesmanago/v1/products/wp-json/salesmanago/v1/sync/wp-json/salesmanago/v1/status

FAQ