CVE-2020-37169 Overview
CVE-2020-37169 is a Local File Inclusion (LFI) vulnerability in the WordPress plugin Ultimate Member version 2.1.3. The flaw resides in class-admin-upgrade.php, where the pack parameter is used to construct a file path without proper validation. Authenticated attackers can send POST requests with crafted pack values to include arbitrary PHP files from the packages directory. Successful exploitation leads to arbitrary code execution within the WordPress application context. The weakness is categorized under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.
Critical Impact
Authenticated attackers can include arbitrary PHP files via the pack parameter, leading to code execution on affected WordPress sites running Ultimate Member 2.1.3.
Affected Products
- WordPress Plugin Ultimate Member version 2.1.3
- WordPress installations with the vulnerable plugin enabled
- Sites where attackers can obtain authenticated administrative access to the upgrade routine
Discovery Timeline
- 2026-05-13 - CVE-2020-37169 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2020-37169
Vulnerability Analysis
The vulnerability exists in the class-admin-upgrade.php file of Ultimate Member 2.1.3. The plugin accepts a user-controlled pack parameter from POST requests and concatenates it into a file path used by a PHP include or require statement. Because the plugin does not sanitize or validate the pack value against an allowlist, attackers can supply path traversal sequences or alternate file references to load unintended PHP files. When the included file contains executable PHP, the server runs it within the plugin's privileged context.
Root Cause
The root cause is improper control of a filename used in a PHP include statement [CWE-98]. The pack parameter is trusted as input to file path construction without normalization, canonicalization, or restriction to a predefined set of valid package identifiers. This pattern allows attacker-supplied values to redirect inclusion to files outside the intended packages directory.
Attack Vector
Exploitation requires an authenticated session with permission to reach the admin upgrade handler. The attacker submits a POST request to the vulnerable endpoint with a manipulated pack value referencing a PHP file accessible on the server. The plugin then includes that file, executing any PHP it contains. The attack vector is local according to the CVSS 4.0 vector, reflecting the authenticated and admin-context preconditions for reaching the vulnerable code path.
For verified proof-of-concept details, see the Exploit-DB entry #48065 and the VulnCheck WordPress Advisory.
Detection Methods for CVE-2020-37169
Indicators of Compromise
- POST requests to WordPress admin endpoints containing a pack parameter with path traversal sequences such as ../ or absolute file paths
- Unexpected PHP file inclusions logged by the web server or WordPress debug log referencing files outside the Ultimate Member packages directory
- New or modified PHP files in plugin or upload directories shortly after admin authentication events
- Outbound network connections originating from the PHP-FPM or web server process following suspicious admin activity
Detection Strategies
- Inspect web access logs for POST requests targeting class-admin-upgrade.php or Ultimate Member upgrade handlers with non-standard pack values
- Apply web application firewall (WAF) rules that flag pack parameter values containing directory traversal patterns or unexpected characters
- Audit WordPress administrator account activity for anomalous logins preceding upgrade requests
- Correlate file integrity monitoring alerts in wp-content/plugins/ultimate-member/ with administrator HTTP sessions
Monitoring Recommendations
- Enable PHP error and access logging on the WordPress host and forward logs to a centralized analytics platform
- Monitor for the creation of webshells or unfamiliar PHP files in wp-content/uploads/ and plugin directories
- Alert on process executions spawned by the web server user that deviate from normal PHP workloads
How to Mitigate CVE-2020-37169
Immediate Actions Required
- Upgrade Ultimate Member to a version later than 2.1.3 that addresses the pack parameter handling
- Restrict access to the WordPress admin area using IP allowlists, multi-factor authentication, and least-privilege role assignments
- Review administrator accounts and rotate credentials for any account that may have accessed the upgrade routine
- Scan the WordPress installation for webshells and unauthorized file modifications
Patch Information
Update the Ultimate Member plugin to a fixed release through the WordPress plugin repository. Refer to the VulnCheck WordPress Advisory for vendor remediation guidance and the Exploit-DB entry for proof-of-concept context when validating fixes.
Workarounds
- Disable the Ultimate Member plugin until it can be upgraded to a patched release
- Deploy WAF rules that block POST requests containing pack values with traversal sequences or non-allowlisted package names
- Set open_basedir in PHP configuration to constrain file inclusion paths to the WordPress installation directory
# Example PHP open_basedir restriction for WordPress
php_admin_value open_basedir "/var/www/html/wordpress/:/tmp/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
