[FD] Remote file download vulnerability in download-zip-attachments v1.0

Title: Remote file download vulnerability in download-zip-attachments v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-10 Download Site: http://ift.tt/1Jh6ovx Vendor: rivenvirus Vendor Notified: 2015-06-15 Vendor Contact: http://ift.tt/1Nh6bHd Advisory: http://ift.tt/1Jh6ovz Description: Download all attachments from the post into a zip file. Vulnerability: from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory.