Remember never to trust user inputs. It’s a common mistake, when writing a web application you are focused on building and making the application work. So, you input the values you expect. “What could go wrong?” Doesn’t cross your mind, you are focused on building.
With the wsm-downloader plugin, the developer added a feature to pull a remote file over HTTP(S) and display it’s contents on through the website. A clever work around, but the function they chose to pull the remote file also can pull local files. Accidentally turning this plugin into a file reader for any file on the web server (that the PHP process can read.)
WordPress stores important secrets and salts in it’s wp-config.php file. Which PHP will always be able to read. These secrets include the database user and password, with hostname to connect to. If the database is properly secured, then the secret salts can be used to perform more sophisticated attacks against sites.
The patch method I used was to include a basic filter, requiring that the inputted value must start with HTTP:// or HTTPS://. This ensures only remote files are being requested, and attempts to access local files will fail.
You can read more technical details about this patch in the Last Patch post about Patching Arbitrary File Download in wsm-downloader.