But the author did try to prevent SQL injections, and misuse of functions happens sometime ¯\_(ツ)_/¯. It's not that trivial when reading the code. A Stored XSS Via CSRF is also far from trivial.
In conclusion, we all write bugs. Some are tricky. Don't be so angry !
static::$id = esc_sql($_GET["post"]);
And yeah, esc_sql() don't work in all cases (see here : https://developer.wordpress.org/reference/functions/esc_sql/...) and in this case it's vulnerable.
But the author did try to prevent SQL injections, and misuse of functions happens sometime ¯\_(ツ)_/¯. It's not that trivial when reading the code. A Stored XSS Via CSRF is also far from trivial.
In conclusion, we all write bugs. Some are tricky. Don't be so angry !