CVE-2020-37246 MEDIUM

CVE-2020-37246: WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion

Vendor Supsystic
Product Backup
Weakness CWE-98 · PHP file inclusion
Published May 16, 2026
Last update May 18, 2026

CVSS base score

6.9/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.

Explanation of Vulnerability in Simple Terms

02Summary

A local vulnerability in Supsystic Backup allows an attacker with local system access to read sensitive information from the backup component. The vulnerability requires no authentication or user interaction. The affected version range appears to contain a single version (2.3.9), though the current version is listed as 3.1.21.3, suggesting this may be a legacy or incorrectly specified version constraint.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the backup system via local file access.

Potential impact on your site

04Site Impact

Backup data containing site configuration, database contents, or other sensitive information could be exposed to users with server access.

Conditions required to exploit

05Prerequisites

Local access to the server; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 16, 2026 CVE published
May 18, 2026 Record updated

Related vulnerabilities

08Related CVE