Description This plugin does not validate a path generated with user input when downloading files, allowing unauthenticated user to download arbitrary files from the server
https://example.com/wp-content/themes/cas/download.php?path=<<FILE_TO_DOWNLOAD>>