The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as contributor
Logon as contributor and open the below URL, which will result in a delayed response (If the “could not find original weather” error occur, just replace the 1 in “post=1” with an existing post id) https://example.com/wp-admin/admin.php?action=owmw_duplicate_post_as_draft&post;=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(3)))hlAf)