Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
120 vulnerabilities by supsystic
CVE-2020-37246 (GCVE-0-2020-37246)
Vulnerability from nvd – Published: 2026-05-16 15:26 – Updated: 2026-05-18 17:53
VLAI
Title
WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion
Summary
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.
Severity
6.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49545 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/backup-by-… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T17:35:07.238097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T17:53:28.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Backup",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "2.3.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:26:01.314Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49545",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49545"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/backup-by-supsystic.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-backup-local-file-inclusion"
}
],
"title": "WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37246",
"datePublished": "2026-05-16T15:26:01.314Z",
"dateReserved": "2026-05-16T14:20:25.326Z",
"dateUpdated": "2026-05-18T17:53:28.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37245 (GCVE-0-2020-37245)
Vulnerability from nvd – Published: 2026-05-16 15:26 – Updated: 2026-05-18 18:06
VLAI
Title
WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS
Summary
Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49542 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/digital-pu… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Digital Publications |
Affected:
1.6.9
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37245",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T18:05:57.557582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T18:06:40.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Digital Publications",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.6.9"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:supsystic:digital_publications_by_supsystic:1.6.9:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:26:00.417Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49542",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49542"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-digital-publications-path-traversal-xss"
}
],
"title": "WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37245",
"datePublished": "2026-05-16T15:26:00.417Z",
"dateReserved": "2026-05-16T14:18:45.071Z",
"dateUpdated": "2026-05-18T18:06:40.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37244 (GCVE-0-2020-37244)
Vulnerability from nvd – Published: 2026-05-16 15:25 – Updated: 2026-05-18 17:04
VLAI
Title
WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx
Summary
Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49540 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/membership… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Membership |
Affected:
1.4.7
|
Date Public
2020-09-08 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37244",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T17:03:09.944764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T17:04:35.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Membership",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.4.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"datePublic": "2020-09-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the \u0027search\u0027 and \u0027sidx\u0027 parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:25:59.342Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49540",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49540"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/membership-by-supsystic.1.4.7.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-membership-sql-injection-via-sidx"
}
],
"title": "WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37244",
"datePublished": "2026-05-16T15:25:59.342Z",
"dateReserved": "2026-05-16T14:18:12.372Z",
"dateUpdated": "2026-05-18T17:04:35.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37243 (GCVE-0-2020-37243)
Vulnerability from nvd – Published: 2026-05-16 15:25 – Updated: 2026-05-18 19:54
VLAI
Title
WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS
Summary
Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and 'Edit HTML' fields that execute malicious scripts when viewing pricing tables.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49533 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/pricing-ta… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Pricing Table |
Affected:
1.8.6
Affected: 1.8.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37243",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T19:53:56.682491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T19:54:15.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pricing Table",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.8.6"
},
{
"status": "affected",
"version": "1.8.7"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpdarko:responsive_pricing_table:1.8.6:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpdarko:responsive_pricing_table:1.8.7:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the \u0027sidx\u0027 GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the \u0027Edit name\u0027 and \u0027Edit HTML\u0027 fields that execute malicious scripts when viewing pricing tables."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:25:58.571Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49533",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49533"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/pricing-table-by-supsystic.1.8.7.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-pricing-table-sql-injection-xss"
}
],
"title": "WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37243",
"datePublished": "2026-05-16T15:25:58.571Z",
"dateReserved": "2026-05-16T14:17:49.669Z",
"dateUpdated": "2026-05-18T19:54:15.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37242 (GCVE-0-2020-37242)
Vulnerability from nvd – Published: 2026-05-16 15:25 – Updated: 2026-05-18 12:55
VLAI
Title
WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx
Summary
Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49532 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/ultimate-m… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Ultimate Maps |
Affected:
1.1.12
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37242",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T12:54:41.128815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T12:55:04.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ultimate Maps",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.1.12"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.1.12:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.16:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.15:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.14:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.13:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.12:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.11:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.10:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.9:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.8:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.7:*:*:*:*:wordpress:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the \u0027sidx\u0027 GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:25:57.854Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49532",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49532"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/ultimate-maps-by-supsystic.1.1.12.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-ultimate-maps-sql-injection-via-sidx"
}
],
"title": "WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37242",
"datePublished": "2026-05-16T15:25:57.854Z",
"dateReserved": "2026-05-15T15:04:26.823Z",
"dateUpdated": "2026-05-18T12:55:04.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52753 (GCVE-0-2025-52753)
Vulnerability from nvd – Published: 2025-10-22 14:32 – Updated: 2026-04-28 19:04
VLAI
Title
WordPress Contact Form by Supsystic plugin <= 1.7.36 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Reflected XSS.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.36.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Contact Form by Supsystic |
Affected:
0 , ≤ 1.7.36
(custom)
|
Date Public
2026-04-01 15:59
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T15:21:04.911571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T19:04:48.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "contact-form-by-supsystic",
"product": "Contact Form by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.8.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.36",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "63n0 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:27.609Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Reflected XSS.\u003cp\u003eThis issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.36.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Reflected XSS.This issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.36."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:18.167Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-by-supsystic/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-35-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Contact Form by Supsystic plugin \u003c= 1.7.36 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-52753",
"datePublished": "2025-10-22T14:32:25.219Z",
"dateReserved": "2025-06-19T10:02:55.535Z",
"dateUpdated": "2026-04-28T19:04:48.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32138 (GCVE-0-2025-32138)
Vulnerability from nvd – Published: 2025-04-04 15:58 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress Easy Google Maps plugin <= 1.11.18 - XML External Entity vulnerability
Summary
Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through <= 1.11.18.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Easy Google Maps |
Affected:
0 , ≤ 1.11.18
(custom)
|
Date Public
2026-04-01 16:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T19:54:42.701430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T20:18:10.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "google-maps-easy",
"product": "Easy Google Maps",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.11.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.11.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "minhtuanact | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:18.531Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.\u003cp\u003eThis issue affects Easy Google Maps: from n/a through \u003c= 1.11.18.\u003c/p\u003e"
}
],
"value": "Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through \u003c= 1.11.18."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:17.022Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/google-maps-easy/vulnerability/wordpress-easy-google-maps-plugin-1-11-17-xml-external-entity-vulnerability?_s_id=cve"
}
],
"title": "WordPress Easy Google Maps plugin \u003c= 1.11.18 - XML External Entity vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32138",
"datePublished": "2025-04-04T15:58:32.318Z",
"dateReserved": "2025-04-04T10:00:42.738Z",
"dateUpdated": "2026-04-28T16:12:17.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56253 (GCVE-0-2024-56253)
Vulnerability from nvd – Published: 2025-01-02 12:01 – Updated: 2026-05-11 22:32
VLAI
Title
WordPress Data Tables Generator by Supsystic plugin <= 1.10.36 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in supsystic Data Tables Generator by Supsystic data-tables-generator-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through <= 1.10.36.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Data Tables Generator by Supsystic |
Affected:
0 , ≤ 1.10.36
(custom)
|
Date Public
2026-04-01 16:31
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T14:43:24.245315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:32:40.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "data-tables-generator-by-supsystic",
"product": "Data Tables Generator by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.10.37",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.36",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aiden | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:31:05.968Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in supsystic Data Tables Generator by Supsystic data-tables-generator-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Data Tables Generator by Supsystic: from n/a through \u003c= 1.10.36.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in supsystic Data Tables Generator by Supsystic data-tables-generator-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through \u003c= 1.10.36."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:56.223Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/data-tables-generator-by-supsystic/vulnerability/wordpress-data-tables-generator-by-supsystic-plugin-1-10-36-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Data Tables Generator by Supsystic plugin \u003c= 1.10.36 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56253",
"datePublished": "2025-01-02T12:01:24.834Z",
"dateReserved": "2024-12-18T19:04:26.186Z",
"dateUpdated": "2026-05-11T22:32:40.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-39997 (GCVE-0-2023-39997)
Vulnerability from nvd – Published: 2024-12-13 14:24 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Popup by Supsystic plugin <= 1.10.19 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic.com | Popup by Supsystic |
Affected:
n/a , ≤ 1.10.19
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39997",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:09:16.127784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T20:36:20.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-by-supsystic",
"product": "Popup by Supsystic",
"vendor": "supsystic.com",
"versions": [
{
"changes": [
{
"at": "1.10.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.19",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafshanzani Suhada (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Popup by Supsystic: from n/a through 1.10.19.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:35.733Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/popup-by-supsystic/vulnerability/wordpress-popup-by-supsystic-plugin-1-10-19-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20)."
}
],
"value": "Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup by Supsystic plugin \u003c= 1.10.19 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-39997",
"datePublished": "2024-12-13T14:24:01.310Z",
"dateReserved": "2023-08-08T11:43:05.859Z",
"dateUpdated": "2026-04-28T16:08:35.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51353 (GCVE-0-2023-51353)
Vulnerability from nvd – Published: 2024-12-09 11:29 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress Popup by Supsystic plugin <= 1.10.19 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through <= 1.10.19.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Popup by Supsystic |
Affected:
0 , ≤ 1.10.19
(custom)
|
|
| supsystic | popup |
Affected:
0 , ≤ 1.10.19
(custom)
cpe:2.3:a:supsystic:popup:1.10.19:*:*:*:*:wordpress:*:* |
Date Public
2026-04-22 14:35
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:popup:1.10.19:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "popup",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.10.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51353",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:06:09.279074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:08:01.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-by-supsystic",
"product": "Popup by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.10.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdi Pranata | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:35:17.654Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Popup by Supsystic: from n/a through \u003c= 1.10.19.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through \u003c= 1.10.19."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:51:52.413Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/popup-by-supsystic/vulnerability/wordpress-popup-by-supsystic-plugin-1-10-19-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"title": "WordPress Popup by Supsystic plugin \u003c= 1.10.19 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-51353",
"datePublished": "2024-12-09T11:29:51.014Z",
"dateReserved": "2023-12-18T10:49:48.400Z",
"dateUpdated": "2026-04-29T09:51:52.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52434 (GCVE-0-2024-52434)
Vulnerability from nvd – Published: 2024-11-18 14:18 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Popup by Supsystic plugin <= 1.10.29 - Remote Code Execution (RCE) vulnerability
Summary
Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through <= 1.10.29.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-82 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Popup by Supsystic |
Affected:
0 , ≤ 1.10.29
(custom)
|
|
| supsystic | popup |
Affected:
0 , ≤ 1.10.29
(custom)
cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:* |
Date Public
2026-04-01 16:29
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "popup",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.10.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T15:41:39.229276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:44:31.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-by-supsystic",
"product": "Popup by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.10.30",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hakiduck | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:29:52.558Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.\u003cp\u003eThis issue affects Popup by Supsystic: from n/a through \u003c= 1.10.29.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through \u003c= 1.10.29."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-82",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:42.243Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/popup-by-supsystic/vulnerability/wordpress-popup-by-supsystic-plugin-1-10-29-remote-code-execution-rce-vulnerability?_s_id=cve"
}
],
"title": "WordPress Popup by Supsystic plugin \u003c= 1.10.29 - Remote Code Execution (RCE) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-52434",
"datePublished": "2024-11-18T14:18:13.457Z",
"dateReserved": "2024-11-11T06:39:38.393Z",
"dateUpdated": "2026-04-28T16:10:42.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48046 (GCVE-0-2024-48046)
Vulnerability from nvd – Published: 2024-10-17 12:19 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Contact Form by Supsystic plugin <= 1.7.28 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Stored XSS.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.28.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Contact Form by Supsystic |
Affected:
0 , ≤ 1.7.28
(custom)
|
Date Public
2026-04-01 16:28
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T13:02:51.674203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T13:03:09.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "contact-form-by-supsystic",
"product": "Contact Form by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.7.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.28",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "UKO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:04.959Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Stored XSS.\u003cp\u003eThis issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Stored XSS.This issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:22.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-by-supsystic/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-28-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Contact Form by Supsystic plugin \u003c= 1.7.28 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-48046",
"datePublished": "2024-10-17T12:19:08.709Z",
"dateReserved": "2024-10-08T13:14:57.117Z",
"dateUpdated": "2026-04-28T16:10:22.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48042 (GCVE-0-2024-48042)
Vulnerability from nvd – Published: 2024-10-16 12:58 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Contact Form by Supsystic plugin <= 1.7.28 - Remote Code Execution (RCE) vulnerability
Summary
Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.28.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-82 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Contact Form by Supsystic |
Affected:
0 , ≤ 1.7.28
(custom)
|
|
| supsystic | contact_form |
Affected:
0 , ≤ 1.7.28
(custom)
cpe:2.3:a:supsystic:contact_form:-:*:*:*:*:wordpress:*:* |
Date Public
2026-04-01 16:28
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:contact_form:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "contact_form",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.7.28",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:34:57.728290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:35:59.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "contact-form-by-supsystic",
"product": "Contact Form by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.7.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.28",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hakiduck | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:01.420Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.\u003cp\u003eThis issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.This issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-82",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:22.282Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-by-supsystic/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-28-remote-code-execution-rce-vulnerability?_s_id=cve"
}
],
"title": "WordPress Contact Form by Supsystic plugin \u003c= 1.7.28 - Remote Code Execution (RCE) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-48042",
"datePublished": "2024-10-16T12:58:37.665Z",
"dateReserved": "2024-10-08T13:14:57.117Z",
"dateUpdated": "2026-04-28T16:10:22.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47330 (GCVE-0-2024-47330)
Vulnerability from nvd – Published: 2024-09-26 02:38 – Updated: 2026-04-28 16:10
VLAI
Title
Broken Access Control vulnerability on multiple WordPress plugins by Supsystic
Summary
Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/sli… | vdb-entry |
| https://patchstack.com/database/vulnerability/soc… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Slider by Supsystic |
Affected:
n/a , ≤ 1.8.6
(custom)
|
|
| Supsystic | Social Share Buttons by Supsystic |
Affected:
n/a , ≤ 2.2.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:54:28.481734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:54:38.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "slider-by-supsystic",
"product": "Slider by Supsystic",
"vendor": "Supsystic",
"versions": [
{
"changes": [
{
"at": "1.8.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "social-share-buttons-by-supsystic",
"product": "Social Share Buttons by Supsystic",
"vendor": "Supsystic",
"versions": [
{
"lessThanOrEqual": "2.2.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.\u003cp\u003eThis issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:18.923Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/slider-by-supsystic/wordpress-slider-by-supsystic-plugin-1-8-6-broken-access-control-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/social-share-buttons-by-supsystic/wordpress-social-share-buttons-by-supsystic-plugin-2-2-9-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Slider by Supsystic to 1.8.7 or a higher version."
}
],
"value": "Update Slider by Supsystic to 1.8.7 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken Access Control vulnerability on multiple WordPress plugins by Supsystic",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47330",
"datePublished": "2024-09-26T02:38:03.935Z",
"dateReserved": "2024-09-24T13:00:47.393Z",
"dateUpdated": "2026-04-28T16:10:18.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5219 (GCVE-0-2024-5219)
Vulnerability from nvd – Published: 2024-07-02 06:49 – Updated: 2026-04-08 16:50
VLAI
Title
Easy Google Maps <= 1.11.15 - Authenticated (Author+) Stored Cross-Site Scripting
Summary
The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsysticcom | Easy Google Maps |
Affected:
0 , ≤ 1.11.15
(semver)
|
|
| supsystic | easy_google_maps |
Affected:
0 , ≤ 1.11.15
(semver)
cpe:2.3:a:supsystic:easy_google_maps:-:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:easy_google_maps:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "easy_google_maps",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.11.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T15:07:33.054691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T15:08:53.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.995Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4af9c623-1539-4afc-9dcd-3f97d29aa4f3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/google-maps-easy/tags/1.11.15/modules/icons/mod.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3105921/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Google Maps",
"vendor": "supsysticcom",
"versions": [
{
"lessThanOrEqual": "1.11.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:52.692Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4af9c623-1539-4afc-9dcd-3f97d29aa4f3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-maps-easy/tags/1.11.15/modules/icons/mod.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3105921/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-01T17:56:24.000Z",
"value": "Disclosed"
}
],
"title": "Easy Google Maps \u003c= 1.11.15 - Authenticated (Author+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5219",
"datePublished": "2024-07-02T06:49:43.750Z",
"dateReserved": "2024-05-22T19:11:50.607Z",
"dateUpdated": "2026-04-08T16:50:52.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37246 (GCVE-0-2020-37246)
Vulnerability from cvelistv5 – Published: 2026-05-16 15:26 – Updated: 2026-05-18 17:53
VLAI
Title
WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion
Summary
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.
Severity
6.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49545 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/backup-by-… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T17:35:07.238097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T17:53:28.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Backup",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "2.3.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:26:01.314Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49545",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49545"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/backup-by-supsystic.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-backup-local-file-inclusion"
}
],
"title": "WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37246",
"datePublished": "2026-05-16T15:26:01.314Z",
"dateReserved": "2026-05-16T14:20:25.326Z",
"dateUpdated": "2026-05-18T17:53:28.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37245 (GCVE-0-2020-37245)
Vulnerability from cvelistv5 – Published: 2026-05-16 15:26 – Updated: 2026-05-18 18:06
VLAI
Title
WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS
Summary
Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49542 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/digital-pu… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Digital Publications |
Affected:
1.6.9
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37245",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T18:05:57.557582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T18:06:40.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Digital Publications",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.6.9"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:supsystic:digital_publications_by_supsystic:1.6.9:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:26:00.417Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49542",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49542"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-digital-publications-path-traversal-xss"
}
],
"title": "WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37245",
"datePublished": "2026-05-16T15:26:00.417Z",
"dateReserved": "2026-05-16T14:18:45.071Z",
"dateUpdated": "2026-05-18T18:06:40.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37244 (GCVE-0-2020-37244)
Vulnerability from cvelistv5 – Published: 2026-05-16 15:25 – Updated: 2026-05-18 17:04
VLAI
Title
WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx
Summary
Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49540 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/membership… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Membership |
Affected:
1.4.7
|
Date Public
2020-09-08 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37244",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T17:03:09.944764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T17:04:35.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Membership",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.4.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"datePublic": "2020-09-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the \u0027search\u0027 and \u0027sidx\u0027 parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:25:59.342Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49540",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49540"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/membership-by-supsystic.1.4.7.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-membership-sql-injection-via-sidx"
}
],
"title": "WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37244",
"datePublished": "2026-05-16T15:25:59.342Z",
"dateReserved": "2026-05-16T14:18:12.372Z",
"dateUpdated": "2026-05-18T17:04:35.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37243 (GCVE-0-2020-37243)
Vulnerability from cvelistv5 – Published: 2026-05-16 15:25 – Updated: 2026-05-18 19:54
VLAI
Title
WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS
Summary
Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and 'Edit HTML' fields that execute malicious scripts when viewing pricing tables.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49533 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/pricing-ta… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Pricing Table |
Affected:
1.8.6
Affected: 1.8.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37243",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T19:53:56.682491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T19:54:15.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pricing Table",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.8.6"
},
{
"status": "affected",
"version": "1.8.7"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpdarko:responsive_pricing_table:1.8.6:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpdarko:responsive_pricing_table:1.8.7:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the \u0027sidx\u0027 GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the \u0027Edit name\u0027 and \u0027Edit HTML\u0027 fields that execute malicious scripts when viewing pricing tables."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:25:58.571Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49533",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49533"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/pricing-table-by-supsystic.1.8.7.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-pricing-table-sql-injection-xss"
}
],
"title": "WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37243",
"datePublished": "2026-05-16T15:25:58.571Z",
"dateReserved": "2026-05-16T14:17:49.669Z",
"dateUpdated": "2026-05-18T19:54:15.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37242 (GCVE-0-2020-37242)
Vulnerability from cvelistv5 – Published: 2026-05-16 15:25 – Updated: 2026-05-18 12:55
VLAI
Title
WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx
Summary
Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49532 | exploit |
| https://supsystic.com/ | product |
| https://downloads.wordpress.org/plugin/ultimate-m… | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Ultimate Maps |
Affected:
1.1.12
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37242",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T12:54:41.128815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T12:55:04.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ultimate Maps",
"vendor": "Supsystic",
"versions": [
{
"status": "affected",
"version": "1.1.12"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.1.12:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.16:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.15:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.14:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.13:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.12:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.11:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.10:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.9:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.8:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:supsystic:ultimate_maps:1.2.7:*:*:*:*:wordpress:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik David Martin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the \u0027sidx\u0027 GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:25:57.854Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49532",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49532"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://supsystic.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://downloads.wordpress.org/plugin/ultimate-maps-by-supsystic.1.1.12.zip"
},
{
"name": "VulnCheck Advisory: WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-ultimate-maps-sql-injection-via-sidx"
}
],
"title": "WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37242",
"datePublished": "2026-05-16T15:25:57.854Z",
"dateReserved": "2026-05-15T15:04:26.823Z",
"dateUpdated": "2026-05-18T12:55:04.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52753 (GCVE-0-2025-52753)
Vulnerability from cvelistv5 – Published: 2025-10-22 14:32 – Updated: 2026-04-28 19:04
VLAI
Title
WordPress Contact Form by Supsystic plugin <= 1.7.36 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Reflected XSS.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.36.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Contact Form by Supsystic |
Affected:
0 , ≤ 1.7.36
(custom)
|
Date Public
2026-04-01 15:59
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T15:21:04.911571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T19:04:48.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "contact-form-by-supsystic",
"product": "Contact Form by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.8.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.36",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "63n0 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:27.609Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Reflected XSS.\u003cp\u003eThis issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.36.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Reflected XSS.This issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.36."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:18.167Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-by-supsystic/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-35-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Contact Form by Supsystic plugin \u003c= 1.7.36 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-52753",
"datePublished": "2025-10-22T14:32:25.219Z",
"dateReserved": "2025-06-19T10:02:55.535Z",
"dateUpdated": "2026-04-28T19:04:48.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32138 (GCVE-0-2025-32138)
Vulnerability from cvelistv5 – Published: 2025-04-04 15:58 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress Easy Google Maps plugin <= 1.11.18 - XML External Entity vulnerability
Summary
Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through <= 1.11.18.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Easy Google Maps |
Affected:
0 , ≤ 1.11.18
(custom)
|
Date Public
2026-04-01 16:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T19:54:42.701430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T20:18:10.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "google-maps-easy",
"product": "Easy Google Maps",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.11.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.11.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "minhtuanact | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:18.531Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.\u003cp\u003eThis issue affects Easy Google Maps: from n/a through \u003c= 1.11.18.\u003c/p\u003e"
}
],
"value": "Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through \u003c= 1.11.18."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:17.022Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/google-maps-easy/vulnerability/wordpress-easy-google-maps-plugin-1-11-17-xml-external-entity-vulnerability?_s_id=cve"
}
],
"title": "WordPress Easy Google Maps plugin \u003c= 1.11.18 - XML External Entity vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32138",
"datePublished": "2025-04-04T15:58:32.318Z",
"dateReserved": "2025-04-04T10:00:42.738Z",
"dateUpdated": "2026-04-28T16:12:17.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56253 (GCVE-0-2024-56253)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:01 – Updated: 2026-05-11 22:32
VLAI
Title
WordPress Data Tables Generator by Supsystic plugin <= 1.10.36 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in supsystic Data Tables Generator by Supsystic data-tables-generator-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through <= 1.10.36.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Data Tables Generator by Supsystic |
Affected:
0 , ≤ 1.10.36
(custom)
|
Date Public
2026-04-01 16:31
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T14:43:24.245315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:32:40.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "data-tables-generator-by-supsystic",
"product": "Data Tables Generator by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.10.37",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.36",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aiden | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:31:05.968Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in supsystic Data Tables Generator by Supsystic data-tables-generator-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Data Tables Generator by Supsystic: from n/a through \u003c= 1.10.36.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in supsystic Data Tables Generator by Supsystic data-tables-generator-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through \u003c= 1.10.36."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:56.223Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/data-tables-generator-by-supsystic/vulnerability/wordpress-data-tables-generator-by-supsystic-plugin-1-10-36-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Data Tables Generator by Supsystic plugin \u003c= 1.10.36 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56253",
"datePublished": "2025-01-02T12:01:24.834Z",
"dateReserved": "2024-12-18T19:04:26.186Z",
"dateUpdated": "2026-05-11T22:32:40.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-39997 (GCVE-0-2023-39997)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Popup by Supsystic plugin <= 1.10.19 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic.com | Popup by Supsystic |
Affected:
n/a , ≤ 1.10.19
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39997",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:09:16.127784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T20:36:20.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-by-supsystic",
"product": "Popup by Supsystic",
"vendor": "supsystic.com",
"versions": [
{
"changes": [
{
"at": "1.10.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.19",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafshanzani Suhada (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Popup by Supsystic: from n/a through 1.10.19.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:35.733Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/popup-by-supsystic/vulnerability/wordpress-popup-by-supsystic-plugin-1-10-19-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20)."
}
],
"value": "Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup by Supsystic plugin \u003c= 1.10.19 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-39997",
"datePublished": "2024-12-13T14:24:01.310Z",
"dateReserved": "2023-08-08T11:43:05.859Z",
"dateUpdated": "2026-04-28T16:08:35.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51353 (GCVE-0-2023-51353)
Vulnerability from cvelistv5 – Published: 2024-12-09 11:29 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress Popup by Supsystic plugin <= 1.10.19 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through <= 1.10.19.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Popup by Supsystic |
Affected:
0 , ≤ 1.10.19
(custom)
|
|
| supsystic | popup |
Affected:
0 , ≤ 1.10.19
(custom)
cpe:2.3:a:supsystic:popup:1.10.19:*:*:*:*:wordpress:*:* |
Date Public
2026-04-22 14:35
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:popup:1.10.19:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "popup",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.10.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51353",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:06:09.279074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:08:01.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-by-supsystic",
"product": "Popup by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.10.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdi Pranata | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:35:17.654Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Popup by Supsystic: from n/a through \u003c= 1.10.19.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through \u003c= 1.10.19."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:51:52.413Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/popup-by-supsystic/vulnerability/wordpress-popup-by-supsystic-plugin-1-10-19-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"title": "WordPress Popup by Supsystic plugin \u003c= 1.10.19 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-51353",
"datePublished": "2024-12-09T11:29:51.014Z",
"dateReserved": "2023-12-18T10:49:48.400Z",
"dateUpdated": "2026-04-29T09:51:52.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52434 (GCVE-0-2024-52434)
Vulnerability from cvelistv5 – Published: 2024-11-18 14:18 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Popup by Supsystic plugin <= 1.10.29 - Remote Code Execution (RCE) vulnerability
Summary
Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through <= 1.10.29.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-82 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Popup by Supsystic |
Affected:
0 , ≤ 1.10.29
(custom)
|
|
| supsystic | popup |
Affected:
0 , ≤ 1.10.29
(custom)
cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:* |
Date Public
2026-04-01 16:29
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "popup",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.10.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T15:41:39.229276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:44:31.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-by-supsystic",
"product": "Popup by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.10.30",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hakiduck | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:29:52.558Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.\u003cp\u003eThis issue affects Popup by Supsystic: from n/a through \u003c= 1.10.29.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through \u003c= 1.10.29."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-82",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:42.243Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/popup-by-supsystic/vulnerability/wordpress-popup-by-supsystic-plugin-1-10-29-remote-code-execution-rce-vulnerability?_s_id=cve"
}
],
"title": "WordPress Popup by Supsystic plugin \u003c= 1.10.29 - Remote Code Execution (RCE) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-52434",
"datePublished": "2024-11-18T14:18:13.457Z",
"dateReserved": "2024-11-11T06:39:38.393Z",
"dateUpdated": "2026-04-28T16:10:42.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48046 (GCVE-0-2024-48046)
Vulnerability from cvelistv5 – Published: 2024-10-17 12:19 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Contact Form by Supsystic plugin <= 1.7.28 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Stored XSS.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.28.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Contact Form by Supsystic |
Affected:
0 , ≤ 1.7.28
(custom)
|
Date Public
2026-04-01 16:28
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T13:02:51.674203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T13:03:09.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "contact-form-by-supsystic",
"product": "Contact Form by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.7.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.28",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "UKO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:04.959Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Stored XSS.\u003cp\u003eThis issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Stored XSS.This issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:22.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-by-supsystic/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-28-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Contact Form by Supsystic plugin \u003c= 1.7.28 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-48046",
"datePublished": "2024-10-17T12:19:08.709Z",
"dateReserved": "2024-10-08T13:14:57.117Z",
"dateUpdated": "2026-04-28T16:10:22.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48042 (GCVE-0-2024-48042)
Vulnerability from cvelistv5 – Published: 2024-10-16 12:58 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Contact Form by Supsystic plugin <= 1.7.28 - Remote Code Execution (RCE) vulnerability
Summary
Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.28.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-82 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsystic | Contact Form by Supsystic |
Affected:
0 , ≤ 1.7.28
(custom)
|
|
| supsystic | contact_form |
Affected:
0 , ≤ 1.7.28
(custom)
cpe:2.3:a:supsystic:contact_form:-:*:*:*:*:wordpress:*:* |
Date Public
2026-04-01 16:28
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:contact_form:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "contact_form",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.7.28",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:34:57.728290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:35:59.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "contact-form-by-supsystic",
"product": "Contact Form by Supsystic",
"vendor": "supsystic",
"versions": [
{
"changes": [
{
"at": "1.7.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.28",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hakiduck | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:01.420Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.\u003cp\u003eThis issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.This issue affects Contact Form by Supsystic: from n/a through \u003c= 1.7.28."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-82",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:22.282Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-by-supsystic/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-28-remote-code-execution-rce-vulnerability?_s_id=cve"
}
],
"title": "WordPress Contact Form by Supsystic plugin \u003c= 1.7.28 - Remote Code Execution (RCE) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-48042",
"datePublished": "2024-10-16T12:58:37.665Z",
"dateReserved": "2024-10-08T13:14:57.117Z",
"dateUpdated": "2026-04-28T16:10:22.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47330 (GCVE-0-2024-47330)
Vulnerability from cvelistv5 – Published: 2024-09-26 02:38 – Updated: 2026-04-28 16:10
VLAI
Title
Broken Access Control vulnerability on multiple WordPress plugins by Supsystic
Summary
Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/sli… | vdb-entry |
| https://patchstack.com/database/vulnerability/soc… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Supsystic | Slider by Supsystic |
Affected:
n/a , ≤ 1.8.6
(custom)
|
|
| Supsystic | Social Share Buttons by Supsystic |
Affected:
n/a , ≤ 2.2.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:54:28.481734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:54:38.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "slider-by-supsystic",
"product": "Slider by Supsystic",
"vendor": "Supsystic",
"versions": [
{
"changes": [
{
"at": "1.8.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "social-share-buttons-by-supsystic",
"product": "Social Share Buttons by Supsystic",
"vendor": "Supsystic",
"versions": [
{
"lessThanOrEqual": "2.2.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.\u003cp\u003eThis issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:18.923Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/slider-by-supsystic/wordpress-slider-by-supsystic-plugin-1-8-6-broken-access-control-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/social-share-buttons-by-supsystic/wordpress-social-share-buttons-by-supsystic-plugin-2-2-9-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Slider by Supsystic to 1.8.7 or a higher version."
}
],
"value": "Update Slider by Supsystic to 1.8.7 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken Access Control vulnerability on multiple WordPress plugins by Supsystic",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47330",
"datePublished": "2024-09-26T02:38:03.935Z",
"dateReserved": "2024-09-24T13:00:47.393Z",
"dateUpdated": "2026-04-28T16:10:18.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5219 (GCVE-0-2024-5219)
Vulnerability from cvelistv5 – Published: 2024-07-02 06:49 – Updated: 2026-04-08 16:50
VLAI
Title
Easy Google Maps <= 1.11.15 - Authenticated (Author+) Stored Cross-Site Scripting
Summary
The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| supsysticcom | Easy Google Maps |
Affected:
0 , ≤ 1.11.15
(semver)
|
|
| supsystic | easy_google_maps |
Affected:
0 , ≤ 1.11.15
(semver)
cpe:2.3:a:supsystic:easy_google_maps:-:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:supsystic:easy_google_maps:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "easy_google_maps",
"vendor": "supsystic",
"versions": [
{
"lessThanOrEqual": "1.11.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T15:07:33.054691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T15:08:53.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.995Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4af9c623-1539-4afc-9dcd-3f97d29aa4f3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/google-maps-easy/tags/1.11.15/modules/icons/mod.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3105921/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Google Maps",
"vendor": "supsysticcom",
"versions": [
{
"lessThanOrEqual": "1.11.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:52.692Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4af9c623-1539-4afc-9dcd-3f97d29aa4f3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-maps-easy/tags/1.11.15/modules/icons/mod.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3105921/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-01T17:56:24.000Z",
"value": "Disclosed"
}
],
"title": "Easy Google Maps \u003c= 1.11.15 - Authenticated (Author+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5219",
"datePublished": "2024-07-02T06:49:43.750Z",
"dateReserved": "2024-05-22T19:11:50.607Z",
"dateUpdated": "2026-04-08T16:50:52.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}