📄 Description (English)
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code.
🤖 AI Executive Summary
CVE-2020-37169 is a local file inclusion (LFI) vulnerability in WordPress Plugin Ultimate Member 2.1.3 that allows authenticated attackers to execute arbitrary code by manipulating the 'pack' parameter. While requiring authentication, this vulnerability poses significant risk to WordPress-based government and corporate portals in Saudi Arabia. The lack of available patches necessitates immediate compensating controls and plugin replacement evaluation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 25, 2026 13:33
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi government portals, municipal websites, and corporate membership systems using Ultimate Member. Government entities under NCA oversight, ARAMCO contractor portals, banking customer portals, and healthcare provider networks are at elevated risk. Authenticated users (employees, contractors, customers) could escalate privileges and access sensitive data. Impact is amplified in organizations with inadequate user access controls and monitoring.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Energy
Telecommunications
Education
E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations for Ultimate Member plugin version 2.1.3 or earlier
2. Disable the Ultimate Member plugin immediately if version 2.1.3 is detected
3. Review user access logs for suspicious POST requests to class-admin-upgrade.php with unusual 'pack' parameters
4. Identify and audit all authenticated user accounts with administrative privileges
PATCHING GUIDANCE:
1. Update to Ultimate Member 2.1.4 or later if available
2. If no patch available, replace Ultimate Member with alternative membership plugins (e.g., MemberPress, Paid Memberships Pro)
3. Implement Web Application Firewall (WAF) rules to block POST requests containing suspicious 'pack' parameter values
COMPENSATING CONTROLS:
1. Implement strict input validation on the 'pack' parameter - whitelist only known valid package names
2. Restrict file inclusion to a specific directory outside web root
3. Disable PHP execution in the packages directory via .htaccess or web server configuration
4. Implement principle of least privilege for authenticated users
5. Enable detailed logging of all file inclusion attempts
DETECTION RULES:
1. Monitor for POST requests to /wp-admin/admin.php?page=um_upgrade with pack parameter containing path traversal sequences (../, ..\\ , etc.)
2. Alert on any PHP file execution from packages directory
3. Monitor for unusual file access patterns from web server process
4. Track failed and successful authentication attempts followed by upgrade page access
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress للبحث عن مكون Ultimate Member الإصدار 2.1.3 أو أقدم
2. تعطيل مكون Ultimate Member فوراً إذا تم اكتشاف الإصدار 2.1.3
3. مراجعة سجلات الوصول للبحث عن طلبات POST مريبة إلى class-admin-upgrade.php بمعاملات 'pack' غير عادية
4. تحديد وتدقيق جميع حسابات المستخدمين المصرحين بامتيازات إدارية
إرشادات التصحيح:
1. التحديث إلى Ultimate Member 2.1.4 أو أحدث إن توفر
2. إذا لم يتوفر تصحيح، استبدل Ultimate Member بمكونات عضوية بديلة (مثل MemberPress أو Paid Memberships Pro)
3. تطبيق قواعد جدار الحماية لتطبيقات الويب لحجب طلبات POST التي تحتوي على قيم مريبة لمعامل 'pack'
الضوابط التعويضية:
1. تطبيق التحقق الصارم من المدخلات على معامل 'pack' - قائمة بيضاء بأسماء الحزم المعروفة فقط
2. تقييد إدراج الملفات إلى دليل محدد خارج جذر الويب
3. تعطيل تنفيذ PHP في دليل الحزم عبر .htaccess أو إعدادات خادم الويب
4. تطبيق مبدأ أقل امتياز للمستخدمين المصرحين
5. تفعيل التسجيل التفصيلي لجميع محاولات إدراج الملفات
قواعد الكشف:
1. مراقبة طلبات POST إلى /wp-admin/admin.php?page=um_upgrade مع معامل pack يحتوي على تسلسلات اجتياز المسار
2. تنبيه عند أي تنفيذ ملف PHP من دليل الحزم
3. مراقبة أنماط الوصول غير العادية للملفات من عملية خادم الويب
4. تتبع محاولات المصادقة الفاشلة والناجحة متبوعة بالوصول إلى صفحة الترقية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - User Access Management
A.6.2.1 - User Registration and De-registration
A.8.2.1 - Classification of Information
A.8.2.3 - Handling of Assets
A.12.2.1 - Controls Against Malware
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
A.14.2.1 - Secure Development Policy
🔵 SAMA CSF
ID.AM-2 - Software Inventory
PR.AC-1 - Access Control Policy
PR.AC-4 - Access Rights Management
PR.DS-2 - Data Security
DE.CM-1 - System Monitoring
DE.CM-3 - Unauthorized Software Detection
RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
A.5.1.1 - Information Security Policies
A.6.1.1 - User Access Management
A.6.2.1 - User Registration and De-registration
A.8.1.1 - Asset Inventory
A.12.2.1 - Malware Protection
A.12.4.1 - Event Logging
A.14.2.1 - Secure Development
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall Configuration Standards
Requirement 6.2 - Security Patches
Requirement 6.5.1 - Injection Flaws
Requirement 10.2 - User Access Logging
Requirement 10.3 - Log Protection