Attack Chain

1. An unauthenticated attacker identifies a WordPress site running the vulnerable Supsystic Membership plugin version 1.4.7.
2. The attacker crafts a malicious GET request targeting the badges module.
3. The attacker injects SQL code into the ‘search’ or ‘sidx’ parameter of the GET request.
4. The web server processes the request and executes the injected SQL query against the database.
5. The attacker uses time-based blind or UNION-based SQL injection techniques to extract sensitive data, bypassing normal authentication mechanisms.
6. The extracted data may include user credentials, personal information, or other sensitive business data stored in the database.
7. The attacker analyzes the extracted data to identify further attack vectors or valuable information.
8. The attacker may use the compromised database to gain administrative access to the WordPress site, or to exfiltrate data for malicious purposes.

Impact

Successful exploitation of the SQL injection vulnerability can lead to unauthorized access to sensitive information stored in the WordPress site’s database. This includes user credentials, personal information, and other confidential data. A successful attack could result in data breaches, identity theft, financial losses, and reputational damage to the affected organization. Given the unauthenticated nature of the vulnerability, any website running the vulnerable plugin is susceptible to attack.

Recommendation

• Upgrade the Supsystic Membership plugin to a version beyond 1.4.7 to remediate CVE-2020-37244.
• Deploy the Sigma rule Detect CVE-2020-37244 Supsystic Membership SQL Injection Attempt to monitor for exploitation attempts.
• Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in web applications.
• Monitor web server logs for suspicious GET requests containing SQL injection payloads, focusing on the ‘search’ and ‘sidx’ parameters in requests to the badges module, as covered by the Sigma rule.