The plugin does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue
The first digits of the post parameter must be a valid Post ID (Weather post or not)
https://example.com/wp-admin/admin.php?action=wpc_duplicate_post_as_draft&post=1%20and%20sleep(10)%23