The security flaw would — conceivably — arise if user input is put directly into the table without validation and users are limited to what they can see.
That is, if '%' could allow someone to see data they shouldn’t.
However, using a column name for the like pattern is not a SQL injection risk, in the sense that it cannot cause another command to “inadvertently” run. And if you are putting the patterns into the table for matching purposes, there is no additional risk.
There might be a concern with performance, but that is another issue entirely.
solved Can storing wildcard strings in a column (to be used with LIKE operator) cause unexpected query results or security issues?