CVE-2025-68571

SALESmanago <= 3.9.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.9.1
Patched in
14d
Time to patch

Description

The SALESmanago & Leadoo plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.9.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.9.0
PublishedDecember 24, 2025
Last updatedJanuary 6, 2026
Affected pluginsalesmanago

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the investigation and exploitation of **CVE-2025-68571**, a missing authorization vulnerability in the **SALESmanago & Leadoo** plugin (version <= 3.9.0). --- ### 1. Vulnerability Summary The SALESmanago & Leadoo plugin fails to implement proper authorization checks (ca…

Show full research plan

This research plan outlines the investigation and exploitation of CVE-2025-68571, a missing authorization vulnerability in the SALESmanago & Leadoo plugin (version <= 3.9.0).


1. Vulnerability Summary

The SALESmanago & Leadoo plugin fails to implement proper authorization checks (capability checks) on certain AJAX or initialization handlers. This allows unauthenticated attackers to trigger sensitive actions—potentially modifying plugin settings, such as API credentials or integration configurations—that should be restricted to administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (inferred) or a direct POST to a page triggering admin_init.
  • Vulnerable Action: An AJAX action registered via wp_ajax_nopriv_ that performs administrative tasks, or a handler hooked to init/admin_init lacking current_user_can().
  • Payload Parameter: Likely POST parameters corresponding to plugin settings (e.g., sm_client_id, sm_api_secret, sm_endpoint).
  • Authentication: Unauthenticated (No login required).
  • Preconditions: The plugin must be installed and active.

3. Code Flow (Inferred)

  1. The plugin registers an entry point, likely in the main plugin file or an admin controller:
    add_action( 'wp_ajax_nopriv_sm_save_settings', 'sm_save_settings_callback' ); (inferred)
  2. The callback function sm_save_settings_callback() (inferred) is executed.
  3. The function retrieves values from $_POST.
  4. The Flaw: The function lacks a check for current_user_can( 'manage_options' ) and may also lack a valid nonce verification for unauthenticated users.
  5. The function calls update_option() to save the attacker-supplied values into the WordPress database.

4. Nonce Acquisition Strategy

If the plugin uses wp_localize_script to provide a nonce for its AJAX actions:

  1. Identify the Shortcode: Search the plugin code for add_shortcode. If the scripts only load on specific pages, we need to create a page with that shortcode.
    • CLI Search: grep -r "add_shortcode" /var/www/html/wp-content/plugins/salesmanago/
  2. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="SmTest" --post_content='[salesmanago_shortcode]' (shortcode name is inferred).
  3. Navigate and Extract: Use browser_navigate to visit the new page.
  4. Extract via Browser: Use browser_eval to find the nonce in the global JS object.
    • Inferred JS Variable: window.sm_ajax_obj?.nonce or window.SM_Data?.ajax_nonce.

5. Exploitation Strategy

This plan assumes the vulnerability allows updating plugin settings via admin-ajax.php.

Step 1: Identify the exact AJAX action.
Run a grep to find all wp_ajax_nopriv actions in the plugin:
grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/salesmanago/

Step 2: Analyze the callback.
Locate the function associated with the nopriv action and check if it calls update_option. Note the parameter names (e.g., clientId, apiKey).

Step 3: Construct the Exploit Request.
Use the http_request tool to send a malicious POST request.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=[INFERRED_ACTION]&sm_client_id=ATTACKER_ID&sm_api_secret=ATTACKER_SECRET&nonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Install Plugin: Ensure salesmanago version 3.9.0 is installed.
  2. Initial State: Check existing settings to ensure they are empty or set to defaults.
    wp option get salesmanago_settings (option name inferred).
  3. Public Page: If a nonce is required, create a page with the plugin's shortcode as described in Section 4.

7. Expected Results

  • HTTP Response: The server should return a 200 OK or a JSON success message (e.g., {"success":true}).
  • Data Modification: The plugin settings in the wp_options table should be updated to the attacker's values.
  • Impact: By changing the API credentials, the attacker can redirect lead data to their own SALESmanago account or disable the integration.

8. Verification Steps

After sending the HTTP request, verify the change using WP-CLI:

  1. wp option get salesmanago_settings (inferred option name).
  2. Verify if the sm_client_id or equivalent matches ATTACKER_ID.

9. Alternative Approaches

  • Setting Injection via init: If no AJAX action is found, check for add_action( 'init', ... ) or add_action( 'admin_init', ... ) in the main plugin files. Sometimes plugins process $_POST globally without checking if the user is in the admin dashboard.
  • Check for sm_ prefixes: Many SALESmanago parameters will likely be prefixed with sm_. Search for update_option calls that use $_POST or $_REQUEST values directly.
    • grep -rn "update_option" /var/www/html/wp-content/plugins/salesmanago/ | grep "POST"
Research Findings
Static analysis — not yet PoC-verified

Summary

The SALESmanago & Leadoo plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on its settings-handling functions in versions up to 3.9.0. This allows unauthenticated attackers to modify critical plugin configurations, such as API credentials, which can lead to lead data redirection or service disruption.

Exploit Outline

1. Identify the specific AJAX action registered via wp_ajax_nopriv_ or an unprotected admin_init handler that processes the plugin's configuration update logic. 2. If the plugin utilizes a nonce for security, visit a public-facing page where the plugin's shortcode or scripts are active to extract the nonce from the localized JavaScript object (e.g., window.SM_Data). 3. Construct a POST request to /wp-admin/admin-ajax.php containing the identified action and malicious parameters for the settings (e.g., sm_client_id, sm_api_secret). 4. Upon execution, the server processes the request without verifying the user's administrative privileges, overwriting the integration settings in the database.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.