PatchSiren cyber security CVE debrief
CVE-2020-37243 Downloads CVE debrief
CVE-2020-37243 affects Supsystic Pricing Table 1.8.7 for WordPress. The supplied description reports an unauthenticated SQL injection in the sidx GET parameter through the getListForTbl action, along with stored cross-site scripting in the Edit name and Edit HTML fields that executes when pricing tables are viewed. Because the SQL injection is reachable without authentication and the XSS is stored, exposed installations should be treated as urgent remediation candidates.
- Vendor
- Downloads
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
WordPress administrators, site owners, managed hosting providers, and security teams responsible for installations of Pricing Table by Supsystic 1.8.7. Sites that expose the plugin to public traffic or allow content editors to manage pricing tables should prioritize review.
Technical summary
The NVD record supplied with this CVE maps the issue to CWE-89 and describes a network-reachable attack surface with no privileges or user interaction required. The vulnerability set includes an SQL injection path in the sidx GET parameter used by getListForTbl, enabling arbitrary SQL query execution, plus stored XSS in the Edit name and Edit HTML fields that can trigger when tables are rendered. The source corpus ties the issue to the Supsystic Pricing Table 1.8.7 plugin archive and a public advisory reference.
Defensive priority
High
Recommended defensive actions
- Inventory WordPress sites for Pricing Table by Supsystic 1.8.7 and any related deployments.
- Upgrade to a vendor-fixed release if one is available; otherwise disable and remove the affected plugin until remediation is confirmed.
- Treat the SQL injection as a potential database integrity and confidentiality incident; review database access logs and application logs for suspicious requests.
- Inspect stored table content for unexpected script payloads or other tampering in the Edit name and Edit HTML fields.
- If compromise is suspected, rotate credentials and review any secrets or sensitive data that may have been exposed through database access.
- Apply temporary compensating controls such as WAF rules, tight access restrictions, and heightened monitoring while remediation is in progress.
Evidence notes
The debrief is based only on the supplied CVE description, NVD source item, and listed references. The source metadata is internally inconsistent on vendor identity: the vendor field is low-confidence and set to "Downloads," while the vulnerability description explicitly names Supsystic Pricing Table 1.8.7 and the reference set includes the plugin archive and vendor homepage. No unsupported exploit details are included.
Official resources
The supplied CVE and NVD metadata both carry a publication/modification timestamp of 2026-05-16T16:16:20.620Z. The provided enrichment does not mark this item as CISA KEV.