CVE-2020-37245 - Vulnerability Details

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Supsystic	Digital Publications By Supsystic
Wordpress	Wordpress

No data.

References

Link	Providers
https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip
https://supsystic.com/
https://www.exploit-db.com/exploits/49542
https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-digital-publications-path-traversal-xss

History

Mon, 18 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 17 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Sat, 16 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited.
Title		WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS
First Time appeared		Supsystic Supsystic digital Publications By Supsystic
Weaknesses		CWE-79
CPEs		cpe:2.3:a:supsystic:digital_publications_by_supsystic:1.6.9:::::::*
Vendors & Products		Supsystic Supsystic digital Publications By Supsystic
References		https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip https://supsystic.com/ https://www.exploit-db.com/exploits/49542 https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-digital-publications-path-traversal-xss
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-16T15:26:00.417Z

Updated: 2026-05-18T18:06:40.301Z

Reserved: 2026-05-16T14:18:45.071Z

Link: CVE-2020-37245

Vulnrichment

Updated: 2026-05-18T18:06:25.560Z

NVD

Status : Deferred

Published: 2026-05-16T16:16:20.867

Modified: 2026-05-18T17:32:04.823

Link: CVE-2020-37245

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object