The WordFence team found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations.
A patched version of the WP Download Manager plugin was released within days of disclosure.
Original article: https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/