WordPress Swim Team Plugin 1.44.10777 - Arbitrary File Download

The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files: 50 $file = urldecode$args'file' ; 51 $fh = fopen$file, 'r' or die'Unable to load file, something bad has happened.' ; 52 53 while !feof$fh 54 $txt .= fread$fh, 1024 ; 55 56 //...