CVE-2014-10396

The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.
Source: NIST
CVE-2014-10396