CVE-2020-37169

MEDIUM NVD

CVSS Score 5.5

Severity MEDIUM

Published May 13, 2026

Vendor unknown

Description

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code.

References

https://www.exploit-db.com/exploits/48065
https://www.vulncheck.com/advisories/wordpress-plugin-ultimate-member-local-file-inclusion