ultimate-member Plugin Vulnerability (CVE-2020-37169)

Security Alert Summary

The WordPress plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers with low privileges to supply a crafted pack parameter to a server-side upgrade routine, potentially including unintended PHP files from the packages directory and leading to arbitrary code execution on affected installations.

CVE Details

• CVE ID: CVE-2020-37169
• Affected component: WordPress Plugin ultimate-member (class-admin-upgrade.php handling the pack parameter)
• Affected versions: 2.1.3 (as stated in the advisory)
• Published: May 13, 2026 at 4:16:32 PM
• Last modified: May 13, 2026 at 4:16:32 PM
• CVSS v3.1: Base score 5.5, Severity MEDIUM, Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• Authentication / privileges / user interaction: Requires an authenticated user with low privileges (PR: LOW); no user interaction required (UI: NONE).
• Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE.
• CWE / weakness: CWE-98 (Improper Control of Filename for Include/Require Statement)

Technical Details

The plugin contains a local file inclusion (LFI) vulnerability in an upgrade-related component. Specifically, the class-admin-upgrade.php handling accepts a pack parameter which can be manipulated in POST requests. By supplying crafted pack values, an attacker can cause the application to include unintended PHP files from the packages directory.

The underlying issue is improper validation or sanitization of the filename supplied to the include/require logic, consistent with CWE-98. When the application includes a file an attacker can control or cause to be included, it can lead to execution of arbitrary PHP code in the context of the web server process.

How This Could Impact Your Website

In a realistic scenario, a site may have multiple users: the site owner, internal staff who manage content, and external contributors or contractors. If an attacker gains access to a low-privileged account (for example, a contributor or other low-level role), they could send crafted POST requests targeting the pack parameter in the upgrade endpoint. This could expose sensitive data or enable execution of server-side code.

Practical consequences include unauthorized disclosure of sensitive site data (consistent with the HIGH confidentiality impact), which could reveal internal user email addresses or other private information. That information can be used for targeted phishing or social engineering against staff, contractors, or customers. If you are unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles and privileges, especially for contributors and low-privilege accounts.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual POST requests, unexpected file inclusions, or other anomalous behavior.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://www.exploit-db.com/exploits/48065
• https://www.vulncheck.com/advisories/wordpress-plugin-ultimate-member-local-file-inclusion