The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.
Proof of Concept
Create a new funnel (All Rating Funnels sub-menu)
Create a new lead (Leads / Feedbacks sub-menu)
Invoke the following curl command to trigger a 5 second sleep
curl https://example.com/wp-admin/admin-ajax.php --data 'action=rrtngg_delete_leads&lead_ids=(SELECT SLEEP(5))) AND 1=1 #'