• This plugin stores values from $_POST in the database (simple-custom-post-order.php line 231) then takes those values back out of the database (line 233) and then puts those values, unescaped, into SQL queries (241)

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Authenticated users may be able to perform SQL injections.