@Southparkfan : Do you still want re-review on this?
- AtomExporter still has XSS issues. The SQL injection is fixed (The SQL isn't following best current practices, but it is no longer vulnerable). The extension however is "archived"
- DownloadCounter looks fine, although the Download.php is a little sketch in terms of exposing file existence via path traversal and didn't follow best practises for escaping (but was not exploitable). Fixed in 31214ed604f324fba3f125bad92f6b313a12d4ca
- PasswordProtection is now archived. prior to the archive, the extension looked rather sketch, but no SQL injections.
I'm going to close this bug. Let me know if you want anything more for this.