Title:Open Proxy in filedownload v1.4 wordpress plugin
The code in download.php doesn't check to see if a user is logged in before allowing a request to an external site.   This flaw can be used to allow malicious code to be loaded into a browser or mask application attacks directed at a target site from behind vulnerable wordpress plugin sites. CVE-2015-70002

 27 $type = $_GET[type];
 28 $path = $_GET[path];
 29 $check = $_GET[check];
 30 
 31 $forbidden = false;
 32 $path_parts = pathinfo($path);
 33 
 34 // V0.2 Security: not longer allowed relative pathes
 35 if (strpos($path, 'http://') === false) $forbidden = true;
 36 if (!(strpos($path, '..') === false)) $forbidden = true;
 37 if (!(strpos($path, '.php') === false)) $forbidden = true;
 38 
 39 // version 1.4 external downloads allowed?
 40 $allow_external_download = get_blog_option( get_current_blog_id(), "filedown    load_allow_external_download", "not available" );
 41 if ($allow_external_download == "0") // then external url downloads are not     allowed
 42 {
 43 
 44   $site_url = strtolower(get_site_url( get_current_blog_id() ));
 45   $download_url = strtolower(substr($path_parts[dirname], 0, strlen($site_ur    l)));


CVE-2015-70003:
Possible Blind SQL Injection and Persistent XSS, I haven't been able to successfully exploit these:

Lines 53-54 don't handle user-input properly for $filename:

 53   $query = 'SELECT * FROM '.$wpdb->prefix.'filedownload WHERE filename = \''.$filename.'\'';
 54   $result=$wpdb->get_row($query, ARRAY_A);

The filenames are sent back to the user with out any sanitization, I believe if you can create a XSS filename as your payload you maybe able
to inject persistent XSS filenames into the database.

149       foreach ($selected as $filename)
150       {
151         filedownload_Reset($filename);
152         print "filename = $filename
";
153       }
154     }

CVE-2015-70004
Reflected XSS

Line 61 of download.php echos the contents of referer to the user with out sanitizing its contents first leading to reflected XSS:

61