The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
1. Go to Elementor > Tools > Replace URL
2. Fill the first field with `http://localhost:8000/`
3. Fill the second field with `http://localhost:8000/?test'),meta_key='key4'where+meta_id=SLEEP(2);#`
4. Note the additional time taken by the request, demonstrating the SQL injection vulnerability.