The vulnerability was discovered and disclosed last week and immediately patched by the WP Download Manager plugin. The plugin used a custom method to handle certain types of Ajax requests which could be abused by an attacker to call arbitrary functions within the applications context. There were no permission checks before handling these special Ajax calls. The culprit was in the wpdm_ajax_call_exec() function. The function is hooked to the WP hook (which is executed every single time somebody visits a post/page) It could be used to upload a backdoor and change important credentials, like admin accounts.”]
Source: https://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html