User Meta Manager [Blind SQLI]

Description

AJAX actions umm_edit_user_meta and umm_delete_user_meta of the User Meta Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection attacks. A registered user can pass arbitrary MySQL commands to umm_user GET param.

PoC