Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Go to Bookly> Settings > Logs
Do a search and intercept the request
The parameter `columns%5B0%5D%5Bdata%5D` with value `created_at` is vulnerable to payloads like the following `(select*from(select(sleep(10)))a)`
See the delay in the SQL query.