The plugin allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.
Proof of Concept
As a contributor
1) Add new download
2) Set "Downloadable File" to http://example.com/wp-content/../wp-config.php
3) Enable "Dispatch the file via PHP directly"
5) Click download button
6) wp-config.php file is downloaded