One can perform an SQL injection attack simply by exploiting wp_ajax_nopriv_rating_vote action.
POST parameters data_target and data_vote can be used to execute arbitrary SQL commands in the database.
In the following PoC we change the administrators password to '1' so a malicious user can then login as the administrator, taking full control of the website.
Note that we assume that table name prefix is 'wp' and administrators user id is 1, a very common scenario.