$_POST[ 'id' ] is not escaped.
populate_download_edit_form() is accessible for every registered user.
$_REQUEST['id'] is not escaped.
$_REQUEST['doifd_file_name'] is not used with
basename() so we can delete every file using as filename
Proof of Concept:
Login as regular user (created using
- 03-12-2015: Discovered
- 03-12-2015: Vendor notified
- 05-12-2015: Version 2.1.0 released, issue resolved