Because of these vulnerabilities, the attackers can execute arbitrary SQL commands via the “videoId” parameter in a newvideo page to wp-admin/admin.php, “vid” parameter in a myextract action to wp-admin/admin-ajax.php or “playlistId” parameter in the newplaylist page.
Update the plugin.