CVE-2020-37245 Overview
CVE-2020-37245 affects the Supsystic Digital Publications WordPress plugin version 1.6.9. The plugin contains two distinct flaws. The first is a path traversal vulnerability in the Folder input field that lets attackers read files outside the web root by injecting directory traversal sequences such as ../. The second is a stored cross-site scripting (XSS) flaw caused by missing input sanitization in publication settings fields like Area Width and Publication Width. Injected scripts execute when an administrator or user views or edits affected publications.
Critical Impact
Unauthenticated network-reachable attackers can read sensitive files from the host filesystem and persist JavaScript payloads that execute in administrator browsers, enabling session theft and further site compromise.
Affected Products
- Supsystic Digital Publications plugin for WordPress, version 1.6.9
- WordPress installations distributing the digital-publications-by-supsystic plugin
- Sites that allow publication creation or editing through the plugin interface
Discovery Timeline
- 2026-05-16 - CVE-2020-37245 published to the National Vulnerability Database
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2020-37245
Vulnerability Analysis
The plugin exposes two separate weaknesses in its publication management workflow. The Folder input field accepts user-controlled path strings and passes them to file handling routines without canonicalization or allow-list validation. Attackers supply payloads containing ../ sequences to escape the intended publication directory and reach arbitrary files on the host. The second weakness affects fields such as Area Width and Publication Width, which the plugin stores and later renders without HTML encoding or context-aware escaping. Injected <script> payloads persist in the database and fire whenever the affected publication is viewed or edited, classifying the issue as stored XSS under [CWE-79].
Root Cause
The root cause is missing input validation and output encoding across plugin settings handlers. Path inputs are not normalized against a fixed base directory, and string parameters that ultimately appear in HTML attributes and markup are not sanitized with WordPress functions such as sanitize_text_field() or esc_attr(). The combination violates standard secure-coding practices for file handling and rendering of user content.
Attack Vector
The vulnerability is exploitable over the network with low attack complexity and without privileges or user interaction. An attacker submits crafted values to the publication settings endpoints, either through the plugin interface or by directly invoking its administrative actions. Traversal payloads return file contents outside the web root, while XSS payloads execute under the origin of the WordPress site when administrators access the publication. Technical proof-of-concept material is documented in the Exploit-DB entry #49542 and the VulnCheck advisory.
Detection Methods for CVE-2020-37245
Indicators of Compromise
- Web server access logs containing ../ or URL-encoded %2e%2e%2f sequences in requests targeting Supsystic plugin endpoints
- Database entries in wp_options or plugin tables holding <script>, onerror=, or javascript: strings in fields such as Area Width, Publication Width, or Folder
- Unexpected outbound requests from administrator browsers shortly after viewing or editing publications
Detection Strategies
- Inspect plugin configuration records for HTML or JavaScript content in numeric fields that should contain only integers or CSS-style widths
- Query the filesystem for the presence of digital-publications-by-supsystic at version 1.6.9 across managed WordPress hosts
- Replay recent POST requests to plugin admin endpoints in a staging environment to confirm whether traversal payloads return file contents such as /etc/passwd or wp-config.php
Monitoring Recommendations
- Enable web application firewall rules that flag path traversal patterns and stored XSS signatures against WordPress admin endpoints
- Forward WordPress audit logs and web server logs to a centralized SIEM for correlation of administrator session activity with publication edits
- Alert on creation or modification of publications by accounts that do not normally use the plugin
How to Mitigate CVE-2020-37245
Immediate Actions Required
- Disable or uninstall the Supsystic Digital Publications plugin until a patched release is confirmed in your environment
- Audit all existing publications for malicious script content and remove or sanitize affected records
- Rotate WordPress administrator credentials and invalidate active sessions if XSS execution is suspected
Patch Information
No vendor patch is referenced in the available advisory data. Verify the current state of the plugin against the Supsystic official site and the WordPress plugin download archive before reinstalling. If a fixed version is not available, keep the plugin removed.
Workarounds
- Restrict access to WordPress administrative paths such as /wp-admin/ using IP allow-listing or VPN-only access
- Deploy a WAF policy that blocks ../, %2e%2e%2f, and <script patterns in request bodies targeting plugin endpoints
- Apply least-privilege roles so that only trusted administrators can create or edit publications
# Remove the vulnerable plugin from a WordPress host using WP-CLI
wp plugin deactivate digital-publications-by-supsystic
wp plugin delete digital-publications-by-supsystic
# Search the database for stored XSS payloads in plugin options
wp db query "SELECT option_name FROM wp_options WHERE option_value LIKE '%<script%' AND option_name LIKE '%supsystic%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
