CVE-2020-9394 in pricing-table-by-supsystic Plugin
Summary
by MITRE
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/12/2025
The vulnerability identified as CVE-2020-9394 affects the pricing-table-by-supsystic WordPress plugin, specifically versions prior to 1.8.2, presenting a cross-site request forgery flaw that enables attackers to perform unauthorized actions on behalf of authenticated users. This issue stems from the plugin's inadequate protection against CSRF attacks, which occur when an attacker tricks a victim's browser into executing unwanted actions on a web application where the user is authenticated. The vulnerability exists within the plugin's handling of user requests and lacks proper validation mechanisms to ensure that requests originate from legitimate sources within the same origin.
The technical implementation flaw manifests in the plugin's failure to implement proper CSRF token validation for critical administrative functions. When users access the plugin's administrative interface, the system should verify that each request contains a valid, unpredictable token that ties the request to the user's current session. Without this protection, malicious actors can craft malicious web pages or exploit existing vulnerabilities to submit requests that appear to originate from authenticated users. This vulnerability directly maps to CWE-352, which defines Cross-Site Request Forgery as a security weakness where the application does not adequately validate the source of requests, allowing attackers to manipulate authenticated users into performing unintended actions.
The operational impact of this vulnerability extends beyond simple data manipulation, as it provides attackers with potential access to administrative controls within the WordPress environment. Successful exploitation could enable unauthorized modifications to pricing tables, configuration changes, or even privilege escalation within the plugin's administrative scope. Attackers might leverage this vulnerability to inject malicious content, alter pricing structures, or potentially gain broader access to the WordPress installation through the compromised plugin. The attack vector typically involves luring an authenticated administrator to visit a malicious website containing crafted requests that automatically submit commands to the vulnerable plugin, bypassing normal authentication mechanisms.
Mitigation strategies for this vulnerability require immediate plugin updates to version 1.8.2 or later, which contain the necessary CSRF protection mechanisms. Security administrators should also implement additional defensive measures including regular security audits of installed plugins, monitoring for unauthorized modifications, and ensuring that all WordPress components remain current with the latest security patches. Organizations should consider implementing Content Security Policy headers to restrict the sources from which scripts can be executed, providing an additional layer of protection against CSRF attacks. The remediation process should also include reviewing user permissions and implementing least-privilege principles to minimize the potential impact of successful exploitation. This vulnerability aligns with ATT&CK technique T1059.001, which covers command and scripting interpreter usage, as attackers may leverage compromised administrative access to execute malicious commands within the WordPress environment, and T1078.004, which addresses valid accounts through compromised credentials that could be obtained through such CSRF exploitation scenarios.