Description This plugin is vulnerable to server-side request forgery (SSRF) via the path
parameter.
Send a GET request to `wpb-show-core/download-file.php` with the path parameter set to an arbitrary URL
`http://example.com/latest/meta-data/iam/security-credentials/wpb-apps-prod-role`
the website will download/response the files