CVE-2020-37243 Overview
CVE-2020-37243 affects the Supsystic Pricing Table WordPress plugin version 1.8.7. The plugin contains an unauthenticated SQL injection vulnerability in the sidx GET parameter processed by the getListForTbl action. Attackers can inject arbitrary SQL queries against the WordPress database without authentication. The plugin also contains stored cross-site scripting (XSS) vulnerabilities in the Edit name and Edit HTML fields, which execute attacker-controlled scripts when administrators or visitors view affected pricing tables. The flaw is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated attackers can extract database contents, including WordPress user credentials, and inject persistent JavaScript executed in administrator sessions.
Affected Products
- Supsystic Pricing Table WordPress plugin version 1.8.7
- WordPress sites using the vulnerable plugin via the getListForTbl AJAX action
- Administrators editing pricing table entries through the affected Edit name and Edit HTML fields
Discovery Timeline
- 2026-05-16 - CVE-2020-37243 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2020-37243
Vulnerability Analysis
The Supsystic Pricing Table plugin exposes the getListForTbl action through WordPress AJAX endpoints. The handler accepts the sidx GET parameter and concatenates its value directly into an ORDER BY clause without sanitization or parameter binding. Attackers can supply SQL fragments through sidx to perform UNION-based or time-based extraction of database contents.
The stored XSS issues exist in the table editing interface. The Edit name and Edit HTML fields accept JavaScript payloads, which the plugin persists in the database and later renders without output encoding. When an administrator or visitor loads the pricing table, the injected script executes in the browser context.
Root Cause
The SQL injection stems from concatenating user-supplied sort parameters into SQL statements. The sidx value is intended as a column name for ordering but is treated as trusted input. The XSS issues result from missing input validation and missing output encoding when rendering stored field values into HTML.
Attack Vector
Exploitation occurs over the network without authentication. An attacker sends a crafted GET request to the WordPress AJAX endpoint with a malicious sidx value to trigger SQL injection. For the stored XSS issues, an attacker with editing access submits JavaScript through the Edit name or Edit HTML fields, which executes in subsequent administrator sessions. Refer to the VulnCheck SQL Injection Advisory and Exploit-DB #49533 for technical proof-of-concept details.
Detection Methods for CVE-2020-37243
Indicators of Compromise
- Web server access logs containing requests to admin-ajax.php with action=getListForTbl and SQL syntax in the sidx parameter (for example UNION, SLEEP, SELECT, or backtick characters)
- Unexpected JavaScript content stored in the plugin's database tables for pricing table name or HTML fields
- Administrator browser sessions loading external scripts referenced from pricing table pages
Detection Strategies
- Inspect HTTP request logs for anomalous values in the sidx parameter sent to the Supsystic Pricing Table AJAX handler
- Query the WordPress database for pricing table records containing <script>, onerror=, or javascript: patterns in name or HTML fields
- Deploy web application firewall signatures that flag SQL keywords in query parameters for /wp-admin/admin-ajax.php
Monitoring Recommendations
- Alert on outbound database errors or unusually long response times for requests targeting admin-ajax.php
- Monitor WordPress administrator accounts for new privileged users or unexpected role changes that may indicate post-exploitation activity
- Track plugin file integrity and database table modifications for the Supsystic Pricing Table plugin
How to Mitigate CVE-2020-37243
Immediate Actions Required
- Disable the Supsystic Pricing Table plugin version 1.8.7 until a patched release is installed
- Review WordPress user accounts for unauthorized administrators and rotate credentials for all privileged users
- Audit the database for stored XSS payloads in pricing table records and remove malicious entries
Patch Information
No vendor advisory URL is referenced in the NVD entry. Site operators should consult the Supsystic Official Website for current plugin releases and verify that the installed version is later than 1.8.7. The vulnerable archive is available at the WordPress Plugin ZIP Archive for forensic comparison only.
Workarounds
- Block requests to admin-ajax.php containing the getListForTbl action at the web application firewall until the plugin is updated or removed
- Restrict access to the WordPress administration interface by IP allowlist to limit exposure of the stored XSS sinks
- Replace the plugin with an alternative pricing table solution if vendor patches are unavailable
# Example ModSecurity rule to block SQL syntax in the sidx parameter
SecRule ARGS:sidx "@rx (?i)(union|select|sleep|benchmark|--|/\*)" \
"id:1003724,phase:2,deny,status:403,msg:'CVE-2020-37243 Supsystic sidx SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
