CVE-2020-37244 Overview
CVE-2020-37244 is a SQL injection vulnerability [CWE-89] affecting the Supsystic Membership WordPress plugin version 1.4.7. The flaw resides in the badges module, where the search and sidx parameters are passed directly into database queries without proper sanitization. Unauthenticated attackers can craft GET requests containing malicious SQL payloads to extract arbitrary data from the underlying database. Both UNION-based and time-based blind injection techniques are viable against the vulnerable endpoint. Successful exploitation exposes WordPress user credentials, membership data, and any other information accessible to the plugin's database user.
Critical Impact
Unauthenticated attackers can extract sensitive database contents, including WordPress administrator credentials, by sending crafted GET requests to the badges module.
Affected Products
- Supsystic Membership WordPress plugin version 1.4.7
- WordPress sites with the membership-by-supsystic plugin installed and activated
- Installations exposing the badges module endpoint to unauthenticated users
Discovery Timeline
- 2026-05-16 - CVE-2020-37244 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2020-37244
Vulnerability Analysis
The vulnerability is an unauthenticated SQL injection in the Supsystic Membership plugin's badges module. The plugin accepts user-supplied values for the search and sidx parameters through GET requests and concatenates them into SQL statements. Because no parameterized queries or input sanitization are applied, attackers can break out of the intended query context.
The sidx parameter is typically used to indicate the column on which to sort badge listings. Attackers can replace the expected column identifier with SQL fragments that the server then executes. The search parameter, used for filtering badge results, is similarly unsanitized and accepts arbitrary clauses appended to the underlying WHERE statement.
Both UNION-based and time-based blind techniques are confirmed to work, which means attackers can either return rows directly in the HTTP response or infer database contents through response timing. A public proof of concept has been published on Exploit-DB under entry 49540.
Root Cause
The root cause is improper neutralization of special elements in SQL commands [CWE-89]. The badges module trusts client-supplied parameters and inserts them into queries without using prepared statements or applying the WordPress $wpdb->prepare() API.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a GET request to the badges module endpoint with malicious SQL payloads embedded in the search or sidx parameter. Public exploitation details are documented in the Exploit-DB #49540 entry and the VulnCheck Advisory: SQL Injection.
No verified code examples are available. Refer to the linked advisories for payload specifics and request structure.
Detection Methods for CVE-2020-37244
Indicators of Compromise
- GET requests to the badges module endpoint containing SQL keywords such as UNION, SELECT, SLEEP(, or BENCHMARK( in the search or sidx query parameters.
- HTTP access log entries showing unusually long sidx values or URL-encoded SQL syntax such as %27, %20UNION%20, or %20OR%201=1.
- Anomalous query latency on the WordPress database when the badges endpoint is requested, indicating time-based blind injection.
- Outbound queries from the web server to the database that include information_schema references tied to badges module requests.
Detection Strategies
- Deploy web application firewall (WAF) signatures that inspect search and sidx parameters for SQL metacharacters and known injection patterns.
- Enable MySQL general or slow query logging and correlate suspicious queries with web server access logs for the membership-by-supsystic plugin path.
- Hunt for plugin file presence on monitored hosts by searching for membership-by-supsystic/membership.php and confirming the installed version.
Monitoring Recommendations
- Alert on repeated 4xx or 5xx responses from the badges endpoint, which often accompany injection probing.
- Monitor the WordPress wp_users table for unauthorized changes to administrator accounts or newly added users.
- Track outbound connections from the web server to unexpected destinations following access to the vulnerable endpoint.
How to Mitigate CVE-2020-37244
Immediate Actions Required
- Disable or uninstall the Supsystic Membership plugin version 1.4.7 until a patched release is verified and deployed.
- Restrict access to the WordPress site's admin and plugin endpoints via IP allowlisting or authentication where feasible.
- Rotate WordPress administrator passwords and database credentials if the plugin was exposed to the internet.
- Review database audit logs for evidence of data extraction queries against wp_users, wp_usermeta, or membership tables.
Patch Information
No vendor patch is referenced in the CVE record at this time. Consult the Supsystic Official Website and the WordPress Plugin Zip Download page for the latest available release and verify that any newer version addresses the SQL injection in the badges module before reinstalling.
Workarounds
- Deploy a WAF rule that blocks GET requests to the badges module containing SQL keywords or encoded SQL metacharacters in search and sidx parameters.
- Limit database user privileges so that the WordPress account cannot read sensitive tables outside its required schema.
- Place the affected WordPress site behind authentication or VPN access if the plugin must remain active for business reasons.
# Example ModSecurity rule to block injection attempts on the vulnerable parameters
SecRule ARGS:sidx|ARGS:search "@rx (?i)(union(\s|\+)+select|sleep\s*\(|benchmark\s*\(|information_schema)" \
"id:1002020037244,phase:2,deny,status:403,log,msg:'CVE-2020-37244 Supsystic Membership SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
