WordPress 4.8.9 Rowe Themes Arbitrary File Download

############################################################################################

# Exploit Title : WordPress 4.8.9 Rowe Themes Arbitrary File Download
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/03/2019
# Vendor Homepage : rowesa.co.za ~ knack.digital
knakdigital.com - wordpress.org
# Software Information Link : rowesa.co.za/#design-companies
# Software Affected Version : 4.8.9
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/themes/rowe/''
intext:''Website designed by KNACK DIGITAL"
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-23 [ Relative Path Traversal ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

############################################################################################

# Impact :
***********
* WordPress 4.8.9 Rowe Themes is prone to a vulnerability that lets attackers download arbitrary files because the application 

fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the 

web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure

of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal 

vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not 

properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

############################################################################################

Vulnerable File :
***************** 
/download.php

Vulnerable Parameter :
********************
?download_file=

# Arbitrary File Download Exploit :
*******************************
/wp-content/themes/rowe/download/download.php?download_file=[FILENAME]

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

############################################################################################