CVE-2020-37242

Vulnerability

Overview

The Supsystic Ultimate Maps plugin for WordPress, version 1.1.12, contains a SQL injection vulnerability in the getListForTbl action. The sidx GET parameter is not sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands [2][3]. This flaw is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) [3].

Exploitation

Details

An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to the WordPress admin AJAX endpoint (admin-ajax.php) with parameters such as mod=maps&action=getListForTbl&sidx=<payload>. The provided proof-of-concept demonstrates both boolean-based blind and time-based blind SQL injection techniques, using tools like sqlmap to automate extraction [2]. No authentication or special privileges are required, making the attack surface broad.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the underlying MySQL database. This can lead to the extraction of sensitive information, including user credentials, session tokens, and other confidential data stored in the WordPress database [3]. The CVSS v3 score of 8.2 (High) reflects the ease of exploitation and potential for significant data compromise.

Mitigation

Status

The vulnerability was reported to the vendor in July 2020, and after multiple follow-ups, a fix was applied on December 9, 2020 [2]. Users are strongly advised to update the plugin to a version later than 1.1.12. No workaround is available for unpatched installations.