The KKProgressbar2 Free WordPress plugin up to and including 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks