{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pricing-table/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2020-37243"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pricing Table"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","xss","wordpress","plugin"],"_cs_type":"threat","_cs_vendors":["Supsystic"],"content_html":"\u003cp\u003eSupsystic Pricing Table plugin version 1.8.7 is vulnerable to SQL injection via the \u0026lsquo;sidx\u0026rsquo; GET parameter. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by manipulating the getListForTbl action. Additionally, the plugin contains stored cross-site scripting (XSS) vulnerabilities in the \u0026lsquo;Edit name\u0026rsquo; and \u0026lsquo;Edit HTML\u0026rsquo; fields. These XSS vulnerabilities allow attackers to inject malicious scripts that are executed when users view the affected pricing tables. Successful exploitation of the SQL injection vulnerability could allow an attacker to read, modify, or delete sensitive data from the WordPress database. The XSS vulnerability can lead to session hijacking or arbitrary script execution in the context of the user\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Supsystic Pricing Table plugin version 1.8.7.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the getListForTbl action, injecting SQL code into the \u0026lsquo;sidx\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request, and the injected SQL code is executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the SQL injection vulnerability to extract sensitive data such as user credentials, API keys, or other confidential information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages stored XSS vulnerabilities by injecting malicious scripts into the \u0026lsquo;Edit name\u0026rsquo; or \u0026lsquo;Edit HTML\u0026rsquo; fields of a pricing table.\u003c/li\u003e\n\u003cli\u003eA legitimate user views the pricing table containing the injected XSS payload.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes within the user\u0026rsquo;s browser, potentially stealing session cookies or redirecting the user to a phishing site.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookies to impersonate the user, gaining unauthorized access to the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SQL injection vulnerability (CVE-2020-37243) can lead to complete database compromise, including unauthorized access to sensitive data, modification of website content, and potential privilege escalation. The stored XSS vulnerabilities allow attackers to inject malicious scripts that can hijack user sessions, deface websites, or redirect users to phishing sites. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to numerous websites and their users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Supsystic Pricing Table plugin to a version greater than 1.8.7 to patch the SQL injection vulnerability (CVE-2020-37243).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to all user-supplied data, especially GET parameters, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to detect and block SQL injection attempts targeting the \u0026lsquo;sidx\u0026rsquo; GET parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2020-37243 Exploitation — Supsystic Pricing Table SQL Injection\u003c/code\u003e to identify malicious HTTP requests exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview pricing tables and sanitize suspicious content from \u0026lsquo;Edit name\u0026rsquo; and \u0026lsquo;Edit HTML\u0026rsquo; fields to mitigate stored XSS risks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:18:59Z","date_published":"2026-05-16T16:18:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2020-37243-supsystic-sql-injection/","summary":"Supsystic Pricing Table plugin version 1.8.7 contains an SQL injection vulnerability via the 'sidx' GET parameter, enabling unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action, as well as stored XSS vulnerabilities.","title":"Supsystic Pricing Table Plugin \u003c= 1.8.7 SQL Injection Vulnerability (CVE-2020-37243)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2020-37243-supsystic-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Pricing Table","version":"https://jsonfeed.org/version/1.1"}