{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2020-37242/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2020-37242"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ultimate Maps (1.1.12)"],"_cs_severities":["high"],"_cs_tags":["cve-2020-37242","sql-injection","wordpress"],"_cs_type":"advisory","_cs_vendors":["Supsystic"],"content_html":"\u003cp\u003eSupsystic Ultimate Maps is a WordPress plugin that allows users to create custom maps. Version 1.1.12 of this plugin contains a critical SQL injection vulnerability (CVE-2020-37242). Unauthenticated attackers can exploit this vulnerability by injecting malicious SQL code into the \u0026lsquo;sidx\u0026rsquo; GET parameter when calling the \u0026lsquo;getListForTbl\u0026rsquo; action. Successful exploitation allows attackers to execute arbitrary SQL queries, potentially leading to the extraction of sensitive database information. This vulnerability poses a significant risk to websites using the affected plugin, as it could result in data breaches and compromise of user information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website running Supsystic Ultimate Maps version 1.1.12.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003egetListForTbl\u003c/code\u003e action with a SQL injection payload in the \u003ccode\u003esidx\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe malicious GET request is sent to the WordPress website.\u003c/li\u003e\n\u003cli\u003eThe WordPress plugin processes the request without proper sanitization of the \u003ccode\u003esidx\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the website\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses boolean-based or time-based blind SQL injection techniques to extract data.\u003c/li\u003e\n\u003cli\u003eSensitive information, such as usernames, passwords, or other database records, is retrieved.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2020-37242 can lead to the complete compromise of the vulnerable website\u0026rsquo;s database. Attackers can gain access to sensitive information, including user credentials, personal data, and other confidential data stored in the database. This can result in data breaches, identity theft, financial loss, and reputational damage for the website owner and its users. The CVSS v3.1 base score for this vulnerability is 8.2, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Supsystic Ultimate Maps to a patched version that addresses CVE-2020-37242 to remediate the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2020-37242 Exploitation — SQL Injection in Supsystic Ultimate Maps\u003c/code\u003e to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests to the \u003ccode\u003egetListForTbl\u003c/code\u003e action containing SQL injection payloads in the \u003ccode\u003esidx\u003c/code\u003e parameter as covered by the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:18:44Z","date_published":"2026-05-16T16:18:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2020-37242-sqli/","summary":"Supsystic Ultimate Maps 1.1.12 is vulnerable to SQL injection via the 'sidx' GET parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information.","title":"Supsystic Ultimate Maps SQL Injection Vulnerability (CVE-2020-37242)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2020-37242-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2020-37242","version":"https://jsonfeed.org/version/1.1"}