Supsystic Pricing Table SQLi & XSS: Unauthenticated RCE Risk
The National Vulnerability Database reports a critical vulnerability, CVE-2020-37243, affecting Supsystic Pricing Table plugin version 1.8.7. This vulnerability encompasses an unauthenticated SQL injection in the ‘sidx’ GET parameter, exploitable via the ‘getListForTbl’ action. This allows attackers to execute arbitrary SQL queries, posing a significant risk of data compromise and potentially full system control.
Beyond the SQL injection, the plugin also suffers from stored cross-site scripting (XSS) vulnerabilities. These exist in the ‘Edit name’ and ‘Edit HTML’ fields, allowing malicious scripts to execute whenever a pricing table is viewed. While requiring some level of authentication for initial input, this can lead to persistent compromise of administrative sessions or client-side attacks against users.
With a CVSS score of 8.2 (HIGH), the SQL injection component is particularly concerning due to its unauthenticated nature. This means an attacker doesn’t need legitimate credentials to begin exploiting the system, significantly lowering the bar for compromise. Defenders must prioritize patching or disabling this plugin immediately.
What This Means For You
- If your organization uses the Supsystic Pricing Table plugin, specifically version 1.8.7 or earlier, you are exposed to unauthenticated SQL injection and stored XSS. You need to identify all instances of this plugin, update it to a patched version immediately, or disable it. Review your web server logs for suspicious activity targeting the 'sidx' GET parameter or 'getListForTbl' action.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2020-37243 - Supsystic Pricing Table SQLi via sidx parameter
title: CVE-2020-37243 - Supsystic Pricing Table SQLi via sidx parameter
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
Detects the specific SQL injection vulnerability in Supsystic Pricing Table plugin (CVE-2020-37243) by looking for the 'sidx' GET parameter in requests to the admin-ajax.php endpoint. This is the primary vector for unauthenticated remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2020-37243/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'sidx='
cs-uri|contains:
- '/wp-admin/admin-ajax.php'
cs-method|exact:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2020-37243 | SQLi | Supsystic Pricing Table plugin version 1.8.7, vulnerable 'sidx' GET parameter in 'getListForTbl' action |
| CVE-2020-37243 | XSS | Supsystic Pricing Table plugin version 1.8.7, vulnerable 'Edit name' field |
| CVE-2020-37243 | XSS | Supsystic Pricing Table plugin version 1.8.7, vulnerable 'Edit HTML' field |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 16, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations
CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...
TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)
CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...
EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access
CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...