cleantalk
Vulnerabilities and Security Researches

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin, CVE-2020-37169

CVE, Research URL

CVE-2020-37169

Home page URL

Security reports for Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Application

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Published on
May 13, 2026
Research Description
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code.
Affected versions
max 2.1.3.
Status
vulnerable
Previous vulnerability researches
Video & Photo Gallery for Ultimate Member (CVE-2025-32121) , Apr 06, 2025
Video & Photo Gallery for Ultimate Member (CVE-2024-12162) , Dec 13, 2024
Video & Photo Gallery for Ultimate Member (CVE-2024-54370) , Dec 18, 2024
Video & Photo Gallery for Ultimate Member (CVE-2025-22672) , Feb 20, 2025
BuddyForms Ultimate Member (CVE-2023-33999) , Jun 13, 2026
New vulnerability
Maspik – Spam Blacklist (CVE-2025-9979) , Jun 14, 2026
WP How to – WordPress Tutorial Videos (CVE-2023-33999) , Jun 14, 2026
Lightbox – EverlightBox Gallery (CVE-2023-33999) , Jun 14, 2026
Open User Map (CVE-2023-33999) , Jun 14, 2026
All-in-One Addons for Elementor – WidgetKit (CVE-2025-8779) , Jun 14, 2026