The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the vulnerable service.
https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74