• Content is taken from the database and inserted directly into SQL in classes/class.model.php at lines 387, 403
• A function argument is inserted directly into SQL in classes/class.model.php at line 593 (this function is called with a value taken from the database), line 664 (insert_or_update), line 789 and in classes/networkquery.php line 3754 where the argument appears to be a WP Query object and in includes/functions.php lines 194, 201, 545, 548, 551
• Output is not escaped properly in the settings page but the form appears to require a nonce

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

An admin user or a compromised admin account may be able to perform SQLi attacks.