CVE-2020-37243

Vulnerability

Overview

CVE-2020-37243 affects Supsystic Pricing Table plugin versions 1.8.6 and 1.8.7. The plugin fails to sanitize user input in the sidx GET parameter when processing the getListForTbl action, leading to unauthenticated SQL injection [2][3]. Additionally, stored cross-site scripting (XSS) vulnerabilities exist in the 'Edit name' and 'Edit HTML' fields, allowing malicious scripts to be stored and executed when viewing pricing tables [2].

Exploitation

An unauthenticated attacker can exploit the SQL injection by sending a crafted GET request to the getListForTbl action with a malicious sidx parameter. The Exploit-DB entry [2] provides proof-of-concept payloads for boolean-based blind and time-based blind injection. For the stored XSS, an attacker with access to edit pricing tables (typically an administrator) can inject JavaScript into the name or HTML fields; the script then executes in the browser of any user viewing the affected table [2].

Impact

Successful SQL injection can lead to extraction of sensitive data from the WordPress database, including user credentials and site configuration. The stored XSS can be used to hijack admin sessions, deface pages, or redirect users to malicious sites. Both vulnerabilities can be chained to escalate privileges or compromise the entire WordPress installation [3].

Mitigation

The vendor released a patch on December 7, 2020, after being notified by the security researcher [2]. Users should update to the latest version of the plugin. No workarounds are documented; disabling the plugin until patched is recommended.