Title: Remote file download vulnerability in candidate-application-form v1.0 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-12 Download Site: https://wordpress.org/plugins/candidate-application-form Vendor: https://profiles.wordpress.org/flaxlandsconsulting/ Vendor Notified: 2015-07-12 Vendor Contact: Description: This plugin allows you to easily add a candidate application form to a job vacancy post, which allows the candidate to apply for the vacancy. Vulnerability: The code in downloadpdffile.php doesn't do any sanity checks, allowing a remote attacker to download sensitive system files: