The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.
1. Add a new "WP Custom Cursor".
2. Return to the "WP Custom Cursors" page and click edit Cursor.
3.The WP Custom Cursors plugin was vulnerable to SQL Injection in GET /wp-admin/admin.php?page=wpcc_add_new&edit_row=(select*from(select(sleep(20)))a)