The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
View the template here CVE-2023-0630.yaml
References:
https://wpscan.com/vulnerability/b82bdd02-b699-4527-86cc-d60b56ab0c55