Thanks for raising this with us. The report is right in pointing out that those parameters aren't sanitised (which we will address immediately). It's work pointing out though, that this is an administration module (protected by WordPress's user permissions); rather than one that can be access anonymously.
Our dev team are correcting this as we speak, after all, just because someone has administration privileges over our plugin, doesn't mean we should expose the rest of the database. Once again, thanks for making us aware of this
P.S. I don't have access to seclists, would you mind posting my response there and letting me know if there's any followup?