A critical arbitrary file download vulnerability in WordPress Plugin ad manager wd allows unauthenticated attackers to access sensitive configuration files and credentials.

The vulnerability is an unauthenticated arbitrary file read flaw located in the edit.php endpoint. By manipulating the path parameter during a CSV export request, an attacker can bypass access controls to download files accessible to the web server user.

The CVSS score of 9.8 reflects the high severity of this flaw, as it allows for the disclosure of critical site configuration files, such as wp-config.php. This file often contains database credentials, salts, and secret keys, which can be leveraged to escalate privileges or gain complete control over the underlying database.

Immediate Action: Update the Plugin ad manager wd plugin to the latest patched version available from the vendor.

Proactive Monitoring: Audit server logs for GET requests containing export=export_csv and suspicious directory traversal patterns (e.g., ../../) within the path parameter.

Compensating Controls: Deploy a WAF to filter and block requests containing directory traversal sequences in URL parameters.

Public Exploit Available: Not specified

This vulnerability presents a severe risk to site security. Administrators should update the plugin immediately. If an update is not currently available, consider disabling or removing the plugin until a secure version is released.