I just had an incident with an SEO Firm I work with. A new client had not provided FTP access to their site so I booted in this plugin in order to make a change to wp-config.php. The plugin seemed to work fine, at first. I downloaded the file, added a couple of lines of code, saved, and uploaded - never thinking to scan to the very bottom.
Somehow, on download, wp-filemanager appended the entire index.php file (rendered HTML) to the end of wp-config.php. The result took the client's entire site offline (WSOD) for four hours until we could reach someone who was able to revert the wp-config file to its former status. Pretty embarrassing stuff.
On the plus side, we now have full developmental access and a full backup. As far as we know, the ultimate client isn't firing my client. Still... what the heck happened? How did the PHP return a download that had an HTML file appended to the end of the requested one?