• Puts variables into SQL without escaping them – includes/core.php lines 311 and 327 – this appears vulnerable to SQLi if a user is able to set the post_types option
• SQL is escaped using addslashes() instead of using esc_sql() or $wpdb->prepare() – hacks.php line 347

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

May be vulnerable to SQL injection.