The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
1. When editing a form, go to "Settings > MySQL Mapping".
2. Click "Add a Query"
3. When mapping the form to the database in the next screen, intercept the request and replace either the `id` or `form_id` parameter with the payload `1%20AND%20(SELECT%205065%20FROM%20(SELECT(SLEEP(5)))zYK1)`
4. The request will run the SQL.