CVE-2020-37244

Vulnerability

Overview

The Supsystic Membership plugin for WordPress, version 1.4.7, contains an SQL injection vulnerability in the badges module. The GET parameters search and sidx are not sanitized before being used in database queries, allowing an attacker to inject arbitrary SQL commands [2][3]. This flaw is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) [3].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted GET requests to the badges.getTblList endpoint. The exploit can be performed using tools like sqlmap or manual payloads. The provided proof-of-concept demonstrates both time-based blind and UNION-based SQL injection techniques [2]. No authentication is required, and the attack is network-based with low complexity [3].

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, such as user credentials, session tokens, or other confidential data. The CVSS v3 score is 8.2 (High), with high confidentiality impact and low integrity impact [3].

Mitigation

The vulnerability was fixed on December 22, 2020, after the WordPress Plugin Security team intervened [2]. Users should update to a patched version of the plugin. No workarounds are documented, and the vendor did not respond to initial disclosure attempts [2].