CVE-2020-37246

MEDIUM CVSS 6.2 View on NVD ↗

Description

Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://downloads.wordpress.org/plugin/backup-by-supsystic.zip
https://supsystic.com/
https://www.exploit-db.com/exploits/49545
https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-backup-local-file-inclusion

Published: May 16, 2026 16:16 UTC Modified: May 16, 2026 16:16 UTC