The plugin did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue Note (WPScanTeam): The issue was fixed without bumping the version, so there are two 2.0.6 versions out there, one vulnerable, the other with the fix.
Proof of Concept
Fixed in version 2.0.6✓
Martin Vierula of Trustwave
2021-08-06 (about 4 months ago)
2021-08-09 (about 4 months ago)
2021-09-10 (about 3 months ago)