Simply-Blog through 2019-01-01 has SQL Injection via the admin/deleteCategories.php delete parameter.
simply-blog project simply-blog