Plugin is still affected and has been closed. The code in download-file.php does not verify if the user is logged in or sanitize which files can be downloaded. This vulnerability can be used to download sensitive system files, such as the Linux passwd file.
$ curl -v "http://www.example.com/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd