Didn't see this anywhere in the GHDB, but its been known for a while and
widely abused by others.
Google Dork "allinurl:forcedownload.php?file="
Sites that use the forcedownload.php script are vulnerable to url
manipulation, and will spit out any file on the local site, including the
PHP files themselves with all server side code, not the rendered page, but
the source itself. This is most commonly used on wordpress sites to grab the
wp-config.php file to gain access to the database, but is not limited to
wordpress sites. I only list it as an example, so people understand the
weight of flaw.