Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API.