The booking-system plugin prior to 2.1 for WordPress has DOPBSPBackEndTranslation::display SQL injection via the language parameter.
pinpoint pinpoint booking system