I applied this fix in response to an email I received from WordFence Security – the description they provided:
Description
The duplicating slider functionality of the plugin is vulnerable to SQL injection due to missing parameterization and escaping on the values supplied to the SQL query used for postmeta duplication. This makes it possible for authenticated attackers to inject additional SQL queries into custom meta that will execute during slider duplication. This can be exploited by an attacker to retrieve sensitive information from the database.
So i replaced the SQL query string with the WordPress ‘prepare’ statement as suggested to prevent the SQL injection vulnerability.
Thanks for the info Simon.
