I’ve recently discovered an arbitrary file download security vulnerability in the a magento plugin: Product File Upload. Honestly.. I’m not sure what we could have expected from a 10 dollar plugin. It opens up a huge security hole that grants access to every file on the server. The vulnerability allows anyone to basically download any file. Unrestricted.