Description
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.
Published: 2026-05-16
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic local file inclusion flaw in the Supsystic Backup WordPress plugin version 2.3.9. An unauthenticated attacker can manipulate the download path parameter in admin.php requests to include directory traversal sequences. This allows the attacker to read any file on the server, such as /etc/passwd, and to delete files using the removeAction parameter. Consequently, confidentiality and integrity of sensitive data can be compromised, and critical files can be deleted, disrupting service availability.

Affected Systems

Supsystic Backup plugin for WordPress, version 2.3.9. Any WordPress site that has installed this plugin in the vulnerable version is potentially exposed. No other vendors or versions are listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, so the exploitation probability is unclear, but the vulnerability is unauthenticated and requires only simple HTTP requests, making it highly feasible. The plugin has not been flagged in the CISA KEV catalog. Attackers can exploit it by sending crafted admin.php requests from any external IP, abusing the download path or removeAction parameters.

Generated by OpenCVE AI on May 16, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Supsystic Backup plugin version that contains the fix for the LFI vulnerability.
  • If an immediate upgrade is not possible, remove or disable the Supsystic Backup plugin from the WordPress installation.
  • Otherwise, apply input validation to the download path and removeAction parameters, restricting them to allowed file paths and disallowing directory traversal sequences.

Generated by OpenCVE AI on May 16, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.
Title WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:01.314Z

Reserved: 2026-05-16T14:20:25.326Z

Link: CVE-2020-37246

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:20.993

Modified: 2026-05-16T16:16:20.993

Link: CVE-2020-37246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses