Password manager doesn't check form destination. It makes it possible for attacker to retrieve saved paramters, including saved login/password if he can insert form into content of the site.