Simply-Blog through 2019-01-01 has SQL Injection via the admin/deleteCategories.php delete parameter.