Description The plugin lacks proper access controllers and allows a logged in user to view and download files belonging to another user
As a logged in user, send a GET request:
GET /wp-admin/admin-ajax.php?action=cdm_file_list&uid=3(CHANGE HERE)&pid=0(CHANGE HERE)&search=&_=1708406394720
You can view files and directories owned by other users by manipulating the `uid` and `pid` parameters
That information can then be leveraged to download the files.