PatchSiren

PatchSiren cyber security CVE debrief

CVE-2020-37242 Downloads CVE debrief

CVE-2020-37242 describes an unauthenticated SQL injection in the Supsystic Ultimate Maps WordPress plugin, version 1.1.12. The issue is triggered through the getListForTbl action and the sidx GET parameter, allowing an attacker to run arbitrary SQL queries against the backend database. The supplied record rates the issue High severity (CVSS 8.8) and identifies CWE-89.

Vendor
Downloads
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-16
Original CVE updated
2026-05-16
Advisory published
2026-05-16
Advisory updated
2026-05-16

Who should care

WordPress site operators, plugin maintainers, and defenders responsible for environments that use Supsystic Ultimate Maps 1.1.12 or related deployments should treat this as a priority issue. Any externally reachable site that exposes the affected action should be reviewed quickly, because the vulnerability is unauthenticated and network accessible.

Technical summary

The vulnerability is an SQL injection in the plugin's request handling for getListForTbl, where attacker-controlled input in the sidx GET parameter can influence SQL queries. The supplied description notes boolean-based blind and time-based blind techniques, indicating the flaw can be used to extract database information even without direct query output. NVD metadata maps the issue to CWE-89 and gives a CVSS 4.0 vector with network attack, no privileges, no user interaction, and high confidentiality impact.

Defensive priority

Immediate. This is a remotely reachable, unauthenticated database injection issue with high severity and potential for sensitive data exposure.

Recommended defensive actions

  • Inventory WordPress sites for Supsystic Ultimate Maps, with special attention to version 1.1.12.
  • Disable or remove the plugin where it is not strictly needed.
  • Apply any vendor guidance, patch, or replacement that addresses the SQL injection before restoring exposure.
  • Monitor web access logs for requests targeting getListForTbl and unusual sidx parameter values.
  • Review the application database for signs of unauthorized reads or unexpected query activity.
  • If the site must remain online, add compensating controls such as WAF rules and tighter request monitoring around the affected endpoint.

Evidence notes

The supplied source material identifies the issue as an unauthenticated SQL injection in Supsystic Ultimate Maps 1.1.12, exploitable through the getListForTbl action and sidx GET parameter. NVD metadata lists CWE-89 and provides a high-severity CVSS vector. The supplied timeline shows the CVE record published and modified on 2026-05-16, and the NVD item is marked 'Received'.

Official resources

The supplied record reflects a disclosure-backed CVE entry with NVD status 'Received' and publication/last-modified timestamps of 2026-05-16. The source corpus ties the vulnerability to a VulnCheck advisory and includes references to the CV