CVE-2021-25069

Name of the Vulnerable Software and Affected Versions Download Manager WordPress plugin versions prior to 3.2.34

Description The issue arises from the lack of sanitization and escaping of the package ids parameter before its use in a SQL statement, leading to a SQL injection. This can also be exploited to cause a Reflected Cross-Site Scripting issue.

Recommendations For versions prior to 3.2.34, update to version 3.2.34 or later to resolve the issue. As a temporary workaround, consider restricting access to the Download Manager WordPress plugin until the update is applied. Avoid using the package ids parameter in affected API endpoints until the issue is resolved.