Parameterized the cleanup query in remove_completed() using $wpdb->prepare() to safely bind the action hook and status (and limit), preventing SQL injection risks from dynamic values when deleting completed Action Scheduler entries.
This vulnerability affects the following application versions:
- WP Mail SMTP 4.1.0
- WP Mail SMTP 4.1.1