iScripts eSwap v2.4 has SQL injection via the wishlistdetailed.php User Panel ToId parameter.
iscripts eswap 2.4
CVE Hunter
CVE-Hunter 1 CVE-2018-11372 2 CVE-2018-11373 3 CVE-2018-11470