Email Before Download (https://wordpress.org/plugins/email-before-download/) before version 4.0 was vulnerable to several SQL injections. An SQL escaping function was used but the escaped value was not between quotes so the attack payload does not have to use quotes and thus no escaping is done.