The Download Manager WordPress plugin prior to 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.
wpdownloadmanager wordpress download manager
Vulmon