CVE-2021-25069: 
WordPress vulnerability analysis and mitigation

The WordPress Download Manager plugin before version 3.2.34 contains a SQL injection vulnerability (CVE-2021-25069) that affects authenticated users. The vulnerability stems from improper sanitization and escaping of the package_ids parameter before its use in SQL statements (WPScan).

The vulnerability exists due to insufficient input validation where the package_ids parameter is not properly sanitized before being used in SQL queries. This can be exploited through the WordPress admin panel at the path /wp-admin/admin.php?page=wpdm-stats. The vulnerability has a CVSS score of 6.1 (medium) and is classified as an SQL Injection vulnerability under the OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

When exploited, this vulnerability can lead to SQL injection attacks and can also be leveraged to cause Reflected Cross-Site Scripting issues. This could potentially allow attackers to execute arbitrary SQL queries and inject malicious scripts into the application (WPScan).

The vulnerability has been patched in WordPress Download Manager version 3.2.34. Users are strongly recommended to upgrade to this version or later to mitigate the risk (WPScan).