Description
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code.
Published: 2026-05-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local file inclusion flaw in Ultimate Member 2.1.3. By manipulating the 'pack' parameter in class-admin-upgrade.php through a crafted POST request, an authenticated attacker can include arbitrary PHP files from the plugin’s package directory and execute them. This allows the attacker to run arbitrary code on the server, potentially compromising the confidentiality, integrity, and availability of the WordPress site.

Affected Systems

Ultimate Member plugin version 2.1.3 for WordPress is listed as affected. No other versions are mentioned in the data, so the vulnerability is limited to this release. The flaw resides in the class-admin-upgrade.php script, which is triggered during plugin upgrades and requires an authenticated user with permission to perform upgrades.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity, but the ability to execute arbitrary code elevates the risk for compromised sites. The EPSS score is not available, leaving the exploitation probability unclear, and the vulnerability is not present in the CISA KEV catalog, suggesting no widespread exploitation yet. Nonetheless, because only authenticated users can trigger the flaw, the attack surface is smaller than for unauthenticated weaknesses, yet still significant for privileged accounts.

Generated by OpenCVE AI on May 13, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ultimate Member plugin to the newest available version when a fix becomes available; review vendor release notes for the official patch.
  • If an update cannot be performed immediately, restrict the upgrade functionality by removing or renaming the pack parameter in the admin upgrade routines, and limit access to trusted administrators only.
  • Deploy a web application firewall or PHP sandboxing to block file inclusion attempts, and monitor logs for suspicious POST requests to the upgrade endpoint.

Generated by OpenCVE AI on May 13, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code.
Title WordPress Plugin ultimate-member 2.1.3 Local File Inclusion
First Time appeared Ultimatemember
Ultimatemember ultimate Member
Weaknesses CWE-98
CPEs cpe:2.3:a:ultimatemember:ultimate_member:2.1.3:*:*:*:*:*:*:*
Vendors & Products Ultimatemember
Ultimatemember ultimate Member
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ultimatemember Ultimate Member
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-13T15:33:39.501Z

Reserved: 2026-02-06T12:30:45.308Z

Link: CVE-2020-37169

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:32.747

Modified: 2026-05-13T17:07:21.030

Link: CVE-2020-37169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')