The email-newsletter plugin up to and including 20.15 for WordPress has SQL injection.
email-newsletter project email-newsletter