The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
1. Go to Elementor > Tools > Replace URL 2. Fill the first field with http://localhost:8000/
3. Fill the second field with http://localhost:8000/?test'),meta_key='key4'where+meta_id=SLEEP(2);#
4. Note the additional time taken by the request, demonstrating the SQL injection vulnerability.