1. Create a private folder that contains a file that you intend keep secret.
2. Add the plugin shortcode `[upf_manager]` to a post.
3. Access a file that you have access to and intercept the request.
4. Manipulate the `doc_id` to contain the number of of a file that you want to access (this will be random), for example: `doc_5712`
5. See that the response discloses the file when the user doesn't have access to it: `{"doc_ttl":"secret-image.jpg","doc_src":"https:\/\/\/wp-content\/uploads\/upf-docs\/usr1_1694106985_secret-image.jpg","doc_desc":"","file_type":"img","cmnts_html":"","author":""}`
6. The file can then be directly downloaded.

Note: The `fldr_id` can also be manipulated.