The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins’ pro features, and uses the woocommerce-appointments plugin.
https://vulnerable-site.tld/wp-json/api/flutter_booking/get_staffs?product_id='+or+ID=sleep(10)--+-