There is a serious vulnerability in the WordPress Download Manager plugin that allows a remote attacker to upload malicious scripts to your website, gain administrative access and modify passwords.
The vulnerability exists in versions of WordPress Download Manager older than 2.7.5. The Changelog confirms this has been fixed as of version 2.7.5.
WP Download manager was allowing unauthenticated ajax calls to execute arbitrary functions. This would allow an attacker to upload arbitrary files and perform a variety of other malicious tasks.
What to do:
Upgrade to WordPress Download Manager version 2.7.5 which is the newest version at the time of writing. The author has also confirmed that the newest version of WP Download Manager Pro has also been fixed.
Please spread the word in the WP community to ensure anyone using this plugin upgrades to the newest version promptly.