Description
Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information.
Published: 2026-05-16
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the Supsystic Ultimate Maps WordPress plugin. The vulnerability is triggered by the 'sidx' GET parameter used by the getListForTbl action. An attacker can inject arbitrary SQL code through this parameter and send crafted GET requests that perform boolean‑based blind or time‑based blind injections, allowing the extraction of sensitive database information.

Affected Systems

The affected build is Supsystic Ultimate Maps 1.1.12. While the CPE list includes newer 1.2.x releases, the description confirms exploitation is specific to the 1.1.12 build; administrators should verify the installed version and consider upgrading if possible.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The attack vector is unauthenticated, remote, and does not require complex conditions beyond sending a crafted request to a public URL. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, but the ability to execute arbitrary SQL queries remains a significant risk. Based on the description, it is inferred that an attacker could gather database contents that might later be leveraged for additional attacks, though this is beyond the scope of the described vulnerability.

Generated by OpenCVE AI on May 16, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Supsystic Ultimate Maps to the latest stable release, which removes the vulnerable code.
  • If an update is not immediately possible, restrict or block access to the getListForTbl endpoint, allowing only authenticated users.
  • Configure a web application firewall or input filtering rules to ensure the 'sidx' parameter contains only expected numeric or safe values before it is used in any database query.
  • Consider removing or replacing the plugin if it is not essential to site functionality and conduct a broader review of database permissions and access controls.

Generated by OpenCVE AI on May 16, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information.
Title WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx
First Time appeared Supsystic
Supsystic ultimate Maps
Weaknesses CWE-89
CPEs cpe:2.3:a:supsystic:ultimate_maps:1.1.12:*:*:*:*:*:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.10:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.11:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.12:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.13:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.14:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.15:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.16:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.7:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.8:*:*:*:*:wordpress:*:*
cpe:2.3:a:supsystic:ultimate_maps:1.2.9:*:*:*:*:wordpress:*:*
Vendors & Products Supsystic
Supsystic ultimate Maps
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Supsystic Ultimate Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:57.854Z

Reserved: 2026-05-15T15:04:26.823Z

Link: CVE-2020-37242

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:20.487

Modified: 2026-05-16T16:16:20.487

Link: CVE-2020-37242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:00:13Z

Weaknesses