The booking-calendar-contact-form plugin prior to 1.0.24 for WordPress has SQL injection.
codepeople booking calendar contact form