Local File Inclusion Vulnerability in Supsystic Backup Plugin for WordPress
CVE-2020-37246
6.9MEDIUM
Key Information:
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2020-37246?
Supsystic Backup version 2.3.9 is susceptible to a local file inclusion vulnerability that enables attackers to read and potentially delete arbitrary files. This exploitation occurs through manipulation of the download path parameter in admin.php, utilizing directory traversal sequences. As a result, unauthorized users may gain access to sensitive files such as /etc/passwd or perform file deletions via the removeAction parameter.
Affected Version(s)
Backup 2.3.9
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Credit
Erik David Martin