The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server
https://wpscan.com/vulnerability/8d6dd979-21ef-4d14-9c42-bbd1d7b65c53/