PatchSiren cyber security CVE debrief
CVE-2020-37246 Downloads CVE debrief
The supplied record describes a local file inclusion and path traversal issue in the Supsystic Backup WordPress plugin. By manipulating the download path parameter in admin.php requests, an unauthenticated attacker can read sensitive files and, through the removeAction path, delete arbitrary files. The NVD metadata assigns CVE-2020-37246 a CVSS score of 6.9 (medium) and maps it to CWE-98.
- Vendor
- Downloads
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
WordPress administrators, managed hosting providers, and security teams responsible for sites that may have Supsystic Backup 2.3.9 installed should treat this as a file confidentiality and integrity risk.
Technical summary
Based on the supplied description and NVD metadata, CVE-2020-37246 affects Supsystic Backup 2.3.9 and is described as a local file inclusion vulnerability reachable through crafted admin.php requests. The issue is triggered by manipulating the download parameter with directory traversal sequences, which can expose arbitrary files such as /etc/passwd, and the removeAction parameter can be used to delete files. The supplied NVD record classifies the weakness as CWE-98.
Defensive priority
Medium by score, but higher operational priority for any environment that still uses Supsystic Backup 2.3.9 because the impact includes unauthorized file read and file deletion.
Recommended defensive actions
- Disable or remove Supsystic Backup 2.3.9 until a fixed vendor release or explicit remediation guidance is confirmed.
- Review WordPress and web-server logs for requests to admin.php with unusual download or removeAction parameters and traversal patterns.
- Check for evidence of sensitive file access or unexpected deletions, then restore affected files from known-good backups if needed.
- Limit access to administrative endpoints and apply least-privilege principles for WordPress and plugin file permissions.
- Use the official CVE and NVD records, plus the vendor advisory references, to track any validated fix or update guidance.
Evidence notes
This debrief is based only on the supplied NVD record and its referenced sources. The prompt description states that unauthenticated attackers can alter the download path parameter in admin.php requests to read or delete arbitrary files, including /etc/passwd. The supplied NVD metadata lists CWE-98 and a CVSS score of 6.9 (medium). The provided vendor field is marked low-confidence and needs review, so vendor attribution should not be treated as fully validated from this corpus alone. The supplied timeline shows publication and modification timestamps of 2026-05-16T16:16:20.993Z for the record.
Official resources
The supplied record shows NVD publication and modification timestamps of 2026-05-16T16:16:20.993Z. No CISA KEV entry was supplied in the timeline. The corpus includes public references to the plugin package, vendor site, Exploit-DB, and a V