These vulnerabilities are in cs_admin_users.php. Because of these vulnerabilities, remote attackers can execute arbitrary SQL commands via the “user”, “isadmin”, “mail service”, “mailresceipt”, “stellv”, “userid”, “champtipp” or “tippgroup” parameters.
Update the plugin.