The ninja-forms plugin prior to 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.
ninjaforms ninjaforms