The assumption that the password is sent in plaintext is incorrect. If this were the case then WPA would have been cracked a long time ago.
The only successful WPA attack outside of getting the handshake is to get the client associated to your fakeap with an ssid that is unencrypted (like a hotel or coffee shop they go to) then you can exploit the machine and take the keys. Ive successfully done this on my test computers. WPA is a long way off of being cracked. (but it will happen eventually)