The plugin does not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections.
https://drive.google.com/file/d/1UBTpW3RcPR7iqTi94ueyXLwWH8aFHuoe/view?usp=sharing Payload: [aps-social id=“1 and sleep(3)”]