The plugin does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection
https://example.com/wp-admin/admin-ajax.php?action=sbp_database_action&sbp_action=convert_tables&sbp_convert_table_name=SQLi&nonce=b2d6208254
The nonce is obtained when Converting a table to InnoDB (/wp-admin/admin.php?page=sbp-settings#tab=database-optimization) and capturing the request