Proof of Concept
As a contributor, it is possible to retrieve the contents of a site’s wp-config.php file by performing the following steps:
Login as a contributor user and go to Downloads->Add New. Name the post, and intercept the request when you Submit for Review (no file needs to be uploaded).
In the file[page_template] parameter, swap out page-template-1col-flat.php for “\\../../../../../wp-config.php”
Then preview the page. The contents of the wp-config.php file will be visible in the page source.
The reason this is possible is due to the wpdm_basename function in wpdm-functions.php. After removing the initial “\\” from the parameter value, it returns ../../../../../wp-config.php as the basename.