SQL Injection in option.php (?)

after installing montezuma, my firewall plugin send some warning:

WordPress Firewall has detected and blocked a potential attack!

Web Page: MYWEB.com/wp_admin/options.php
Warning: URL may contain dangerous content!
Offending IP: 103.3.223.95 [ Get IP location ]
Offending Parameter: montezuma[maintemplate-image] = <?php get_header(); ?> <div id=\”main\” class=\”row\”> <div id=\”content\” class=\”col12\”> <?php the_post(); ?> <div id=\”post-<?php the_ID(); ?>\” <?php post_class(\’cf image-attachment\’); ?>> <h1><?php the_title(); ?></h1> <p> <?php the_time( \’j M Y\’ ); ?> | \”><?php bfa_parent_title(); ?> | <?php bfa_image_size(); ?> </p> <div class=\”post-bodycopy cf\”> <div class=\”wp-caption\”> \”><?php bfa_attachment_image( \’full\’ ); ?> <?php bfa_attachment_caption(); ?> </div> <nav class=\”singlenav cf\”> <div class=\”older\”><?php previous_image_link( false ); ?></div> <div class=\”newer\”><?php next_image_link( false ); ?></div> </nav> <div class=\”entry-description\”> <?php the_content(); ?> <?php wp_link_pages( array( \’before\’ => \'<div class=\”page-links\”>\’ . __( \’Pages:\’, \’montezuma\’ ), \’after\’ => \'</div>\’ ) ); ?> </div> </div> <?php edit_post_link( __( \”Edit\”, \’montezuma\’ ) ); ?> <div class=\”post-footer\”> <p><?php bfa_image_meta(); ?></p> </div> </div> <?php comments_template(); ?> </div> </div> <?php get_footer(); ?>

This may be a “WordPress-Specific SQL Injection Attack.”