CVE-2018-20483: wget stores plaintext credentials in xattr file metadata (information-leak)

When wget downloads a file with --xattr enabled (opt.enable_xattr), the set_file_metadata() function in src/xattr.c writes the full download URL including plaintext username:password credentials into POSIX extended file attributes (user.xdg.origin.url and user.xdg.referrer.url). These xattrs are readable by any user with access to the downloaded file, exposing credentials to other local users or processes.