Primary

Context

WordPress Plugin Ultimate Member Local File Inclusion Vulnerability

Vulnerability

A local file inclusion vulnerability has been identified in the WordPress plugin Ultimate Member, specifically in version 2.1.3. This vulnerability allows authenticated attackers to include arbitrary files by manipulating the 'pack' parameter in 'class-admin-upgrade.php'. Exploitation involves sending POST requests with malicious 'pack' values to include unintended PHP files from the packages directory, potentially leading to the execution of arbitrary code.

Impact

Exploitation of this vulnerability could allow authenticated attackers to execute arbitrary code on the server.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to 'class-admin-upgrade.php' with a crafted 'pack' parameter. This parameter can be manipulated to include arbitrary PHP files from the packages directory, which will then be executed on the server.

Added: May 13, 2026, 7:00 PM

Updated: May 13, 2026, 7:00 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.8

remediation

0.0

relevance

8.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.8

remediation

0.0

relevance

8.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Plugin Ultimate Member Local File Inclusion Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Ultimate Member

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating