The changelog on the Appointment Booking Calendar website blandly offers "improved query security" as the note for version 1.3.19. There's no hint that it fixes a major security hole. Regardless, if you have a version of the plugin which is earlier than that, you need to update it immediately. You should also look into why your plugins aren't getting updated more often than once in six months. Neglecting updates leaves your site vulnerable to many attacks.
When you update, you should check your site for any signs of tampering. If it's been vulnerable for that long, the odds are high that it's been hacked. The surest remedy may be to remove the plugin and re-install it. That will give you a clean starting point to configure for your site.
The vulnerability exploits started before the issue was announced or fixed, so even the most zealous maintainers of their sites had a window of risk. Additional protections, such as the
Quttera Web Application Firewall, are necessary to keep application bugs from turning into corrupted websites. A well-protected website uses multiple layers of protection and keeps its defenses up to date.