{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/membership-1.4.7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2020-37244"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Membership 1.4.7"],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2020-37244","wordpress","unauthenticated"],"_cs_type":"advisory","_cs_vendors":["Supsystic"],"content_html":"\u003cp\u003eSupsystic Membership plugin version 1.4.7 is susceptible to SQL injection attacks due to insufficient input validation on the \u0026lsquo;search\u0026rsquo; and \u0026lsquo;sidx\u0026rsquo; parameters within the badges module. This vulnerability, identified as CVE-2020-37244, enables unauthenticated remote attackers to inject arbitrary SQL queries via crafted GET requests. Successful exploitation allows the attacker to read, modify, or delete sensitive data stored in the application\u0026rsquo;s database. The vulnerable software is a WordPress plugin. Attackers leverage this flaw to compromise the integrity of the WordPress site and gain unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the vulnerable Supsystic Membership plugin version 1.4.7.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting the badges module.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u0026lsquo;search\u0026rsquo; or \u0026lsquo;sidx\u0026rsquo; parameter of the GET request.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and executes the injected SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based blind or UNION-based SQL injection techniques to extract sensitive data, bypassing normal authentication mechanisms.\u003c/li\u003e\n\u003cli\u003eThe extracted data may include user credentials, personal information, or other sensitive business data stored in the database.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the extracted data to identify further attack vectors or valuable information.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised database to gain administrative access to the WordPress site, or to exfiltrate data for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SQL injection vulnerability can lead to unauthorized access to sensitive information stored in the WordPress site\u0026rsquo;s database. This includes user credentials, personal information, and other confidential data. A successful attack could result in data breaches, identity theft, financial losses, and reputational damage to the affected organization. Given the unauthenticated nature of the vulnerability, any website running the vulnerable plugin is susceptible to attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Supsystic Membership plugin to a version beyond 1.4.7 to remediate CVE-2020-37244.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2020-37244 Supsystic Membership SQL Injection Attempt\u003c/code\u003e to monitor for exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection vulnerabilities in web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests containing SQL injection payloads, focusing on the \u0026lsquo;search\u0026rsquo; and \u0026lsquo;sidx\u0026rsquo; parameters in requests to the badges module, as covered by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:19:14Z","date_published":"2026-05-16T16:19:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2020-37244-supsystic-sqli/","summary":"Supsystic Membership version 1.4.7 is vulnerable to SQL injection (CVE-2020-37244), allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters, potentially extracting sensitive database information.","title":"CVE-2020-37244: Supsystic Membership 1.4.7 Unauthenticated SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2020-37244-supsystic-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Membership 1.4.7","version":"https://jsonfeed.org/version/1.1"}